From the Proxmox documentation: If you enable the firewall, traffic to all hosts is blocked by default. Only exceptions is WebGUI(8006) and ssh(22) from your local network. In other words, as long as you're in the same local network as the hosts, enabling the firewall without any rules defined will NOT block you out from the Proxmox hosts. You still will be able to manage them via the GUI and SSH.

This is a fantastic channel! Pure, useful info! I was just wandering around the forums trying to figure this out for myself (e.g. don't want VMs to be able to just reach out to the proxmox nodes' web interfaces themselves!), so I'm so glad I stumbled upon this!

This is actually so useful. Just discovered your channel. You are a beast

I set output policy to drop everywhere, then defined 1st rule accept with destination gateway, 2nd rule drop with destination ALL local IPV4 addresses, third accept out anywhere else

Thanks for sharing. A nice and clean video with a lot of useful information to me

I don't get why out rules towards the internet are needed when the default policy for output was already ACCEPT under Datacenter, and also the individual LXC. Shouldn't it be turned to DROP for output rules to become necessary, otherwise everything out is accepted?

Very cool. I was wondering about this. I had them turned off, but you showed how to implement correctly. Thanks!

Love your videos. Thank you for sharing your knowledge :) Hugs from Portugal!

This is actually so useful. Thanks!

Thank you. Great video and tutorial.

Great video, thank you very much. However, what I don't understand is that when I run the command 'nmap -sn' in the 'vm', it can still see the other devices on my local network. Does anyone know why?

Hi MRP We are running 4 node ceph cluster with PBS on another bare metal. We have configured simple zone in SDN as well. You explained the FW well. Thank you for your efforts. please shoot some videos on FW security groups and SDN with simple and vlan zones.

Hello Sir! May I ask you a question? Which rule do I have to add to the firewall to reject all traffic and connections to ipv6 adresses? When I activate the "Localnet" profile it blocks all IPV4 only.

This is a great video. I am a very big fan of IPTABLES. Behind the scene it is the IPtables at work. This gives a very eassy way to write the rules. It would be good to see if we write the Iptables rules in the proxmos shell, will it refelect in the proxmos gui. Proxmos is really good. I remember in the late 90s we have this Webadmin for linux which is gui based configuration and now I see proxmox like that tool with hypervisor capability. Thanks again MRP. This is a great video.

What would be the best way to run a firewall? Local router -> Proxmox -> PFsense ( manage all interfaces from Promox ) or PFSense -> Proxmox ?

Great video!! As a complement to this one can you please make one for setting up vlan? Thanks

Great video, thanks

hi there you lxc container pihole, I installed it using simple SDN. I can update, ping etc.. but when I place the NAT ip address in the web browser with the /admin, I get nothing. If I switch it to vmbr0 it works. any suggestions?

Please do a video on the security groups

It's a good idea to block all traffic except that directed to gateway

Can this be used for public facing server VMs to prevent access to the rest of the network in the event the server is compromised?

Thanks.

thx

I have localsite connected through cloudflared tunnel, the problem is i cant store/save data through domain name instead local ip. Is this any related with firewall ? Thanks