LinuxCommandLibrary

pve-firewall

Manage Proxmox Virtual Environment firewall rules

TLDR

Compile and print all firewall rules

$ pve-firewall compile
copy

Show information about the local network
$ pve-firewall localnet
copy

Restart the Proxmox VE Firewall service
$ pve-firewall restart
copy

Start the Proxmox VE Firewall service
$ pve-firewall start
copy

Stop the Proxmox VE Firewall service
$ pve-firewall stop
copy

Simulate all firewall rules
$ pve-firewall simulate
copy

Show the status of Proxmox VE Firewall
$ pve-firewall status
copy

SYNOPSIS

pve-firewall []

PARAMETERS

--digest
    Only verify the configuration file if the digest matches. Use 'pve-firewall digest' to get the current digest.

--configfile
    Use the specified configuration file. The default is /etc/pve/firewall/cluster.fw.

log
    Show firewall log

compile
    Compile the firewall rules

status
    Show firewall status

digest
    Calculate the configuration file digest

help
    Show help

DESCRIPTION

The `pve-firewall` command is a command-line interface for managing the Proxmox Virtual Environment (PVE) firewall. It allows you to define and manage firewall rules for virtual machines (VMs), containers, and the Proxmox VE host itself. This firewall is based on iptables and offers a flexible and robust way to secure your virtualized environment.

Using this command, you can create rules to allow or deny traffic based on source and destination IP addresses, ports, and protocols. It integrates directly with the Proxmox VE web interface, allowing for both CLI and GUI-based management. The firewall operates at the datacenter, node, and VM/container levels, enabling granular control over network access. Key features include rule ordering, logging, and integration with other Proxmox VE features like HA (High Availability).

FIREWALL CONCEPTS

The Proxmox VE firewall uses a hierarchical structure. Rules are applied in the order: Datacenter -> Node -> VM/Container. If a rule matches at a higher level, it takes precedence. This allows for centralized management while still providing flexibility at the VM/Container level.

The firewall provides the 'ipset' infrastructure to group multiple IPs/Networks in a single entry.

RULE MANAGEMENT

The actual firewall rules are defined in JSON format within the configuration file. The `pve-firewall` command provides tools to manipulate this file. However, it's generally recommended to manage rules via the Proxmox VE web interface or API for easier administration. The 'compile' command will build the Iptables rules according the the JSON configuration file.

SEE ALSO

Copied to clipboard