pve-firewall

Compile and print all firewall rules

$ pve-firewall compile

$ pve-firewall localnet

$ pve-firewall restart

$ pve-firewall start

$ pve-firewall stop

$ pve-firewall simulate

$ pve-firewall status

pve-firewall []

--digest
    Only verify the configuration file if the digest matches. Use 'pve-firewall digest' to get the current digest.

--configfile
    Use the specified configuration file. The default is /etc/pve/firewall/cluster.fw.

log
    Show firewall log

compile
    Compile the firewall rules

status
    Show firewall status

digest
    Calculate the configuration file digest

help
    Show help

The `pve-firewall` command is a command-line interface for managing the Proxmox Virtual Environment (PVE) firewall. It allows you to define and manage firewall rules for virtual machines (VMs), containers, and the Proxmox VE host itself. This firewall is based on iptables and offers a flexible and robust way to secure your virtualized environment.

Using this command, you can create rules to allow or deny traffic based on source and destination IP addresses, ports, and protocols. It integrates directly with the Proxmox VE web interface, allowing for both CLI and GUI-based management. The firewall operates at the datacenter, node, and VM/container levels, enabling granular control over network access. Key features include rule ordering, logging, and integration with other Proxmox VE features like HA (High Availability).

The Proxmox VE firewall uses a hierarchical structure. Rules are applied in the order: Datacenter -> Node -> VM/Container. If a rule matches at a higher level, it takes precedence. This allows for centralized management while still providing flexibility at the VM/Container level.

The firewall provides the 'ipset' infrastructure to group multiple IPs/Networks in a single entry.

The actual firewall rules are defined in JSON format within the configuration file. The `pve-firewall` command provides tools to manipulate this file. However, it's generally recommended to manage rules via the Proxmox VE web interface or API for easier administration. The 'compile' command will build the Iptables rules according the the JSON configuration file.

iptables(8)