pve-firewall

Compile and print all firewall rules

$ pve-firewall [[c|compile]]

$ pve-firewall [[l|localnet]]

$ pve-firewall [[r|restart]]

$ pve-firewall start

$ pve-firewall stop

$ pve-firewall [[si|simulate]]

$ pve-firewall status

pve-firewall <command> [<options>]

Common commands include start, stop, reload, status, set, get, block-ip, unblock-ip, log, aliases, ipset, securitygroup, and rule. Specific options and arguments depend on the chosen <command>.

The pve-firewall command provides a high-level interface for managing the integrated firewall within Proxmox Virtual Environment (PVE). It abstracts the complexities of underlying netfilter (iptables/nftables) rules, allowing users to configure firewall settings at multiple levels: the entire datacenter, individual Proxmox nodes (hosts), and specific virtual machines (VMs) or containers (CTs).

It supports various features including rule management, security groups, IP sets, aliases, and logging. The firewall ensures network isolation and enhances the security of virtualized environments by controlling ingress and egress traffic. All configurations are stored in the cluster filesystem (pmxcfs), enabling real-time synchronization across all cluster nodes.

Direct manipulation of iptables or nftables rules can interfere with pve-firewall's operation and is generally discouraged unless you understand its internals. Using block-ip indiscriminately can lead to network lockout. The firewall relies on the pve-firewall service running correctly on all nodes.

pve-firewall allows rules to be applied at three distinct levels:
Datacenter Level: Global rules applied to all nodes and VMs/CTs in the cluster.
Host Level: Rules specific to an individual Proxmox node, affecting all traffic to/from that host.
VM/CT Level: Rules applied directly to a specific virtual machine or container, controlling its individual network traffic.

All pve-firewall configurations, including rules, IP sets, and aliases, are stored within the pmxcfs (Proxmox Cluster File System). This ensures that configurations are consistent across all nodes in a Proxmox VE cluster and allows for live updates without requiring manual synchronization.

The integrated firewall was introduced in Proxmox VE 3.4 (released in 2015) to provide a centralized and easy-to-use firewall solution for virtualized environments. Initially built upon iptables, its capabilities have evolved to support nftables and integrate seamlessly with new Proxmox VE features, constantly enhancing network security management.

iptables(8), nft(8), pmxcfs(5), qm(1), pct(1), pve-cluster(1)