From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 9FF111FF136 for ; Mon, 04 May 2026 13:05:18 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 6B8B219F73; Mon, 4 May 2026 13:05:16 +0200 (CEST) From: Manuel Federanko To: pve-devel@lists.proxmox.com Subject: [PATCH docs] pve-firewall: update list of implicit rules. Date: Mon, 4 May 2026 13:04:38 +0200 Message-ID: <20260504110438.71713-1-m.federanko@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.293 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy HEADER_FROM_DIFFERENT_DOMAINS 0.25 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Message-ID-Hash: R3L44SVG6PDDIZ3MUV7IQR4LEGN2RXXG X-Message-ID-Hash: R3L44SVG6PDDIZ3MUV7IQR4LEGN2RXXG X-MailFrom: mfederanko@dev.localdomain X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Updated the documentation note to reflect the current state of pve-firewall. Also added a section directing users to the macro system if they need additional rules. Suggested-by: Friedrich Weber Signed-off-by: Manuel Federanko --- pve-firewall.adoc | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/pve-firewall.adoc b/pve-firewall.adoc index f04134a..df396d1 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -172,9 +172,14 @@ set the enable option here: enable: 1 ---- -IMPORTANT: If you enable the firewall, traffic to all hosts is blocked by -default. Only exceptions is WebGUI(8006) and ssh(22) from your local -network. +IMPORTANT: If you enable the firewall, traffic to all hosts is blocked +by default. The only exceptions are the WebGUI(8006), ssh(22), corosync +(5404:5405), VNC(5900:5999), SPICE(3128) and the migration ports +(60000:60050) from your local network. + +Should you have other services running which communicate over the +network, you will have to allow them seperately. For some common +services there are `macros` available. If you want to administrate your {pve} hosts from remote, you need to create rules to allow traffic from those remote IPs to the web -- 2.47.3