From: Manuel Federanko <m.federanko@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: Re: [PATCH docs] pve-firewall: update list of implicit rules.
Date: Tue, 5 May 2026 13:21:20 +0200 [thread overview]
Message-ID: <206b2c30-f05e-42c3-8c93-8e1b45c47be1@proxmox.com> (raw)
In-Reply-To: <d8dae8c9-a5d7-4c0d-aaa2-aa15b00c44f5@proxmox.com>
On 2026-05-04 1:09 PM, Stefan Hanreich wrote:
> There is also a completely separate section which describes the default
> firewall ruleset in greater detail [1]. It might make sense to link to
> this section and maintain the full list there? This warning could then
> be reformulated a bit (just a draft):
>
> If you enable the firewall, traffic to all hosts will be blocked by
> default - with some exceptions for traffic coming from the local network
> to the WebUI, SSH and other important services. More information can be
> found <link_to_default_rules_section>.
>
>
> [1]
> https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_datacenter_incoming_outgoing_drop_reject
Thanks for the feedback! I just sent a v2
> On 5/4/26 1:03 PM, Manuel Federanko wrote:
>> Updated the documentation note to reflect the current state of
>> pve-firewall. Also added a section directing users to the macro system
>> if they need additional rules.
>>
>> Suggested-by: Friedrich Weber <f.weber@proxmox.com>
>> Signed-off-by: Manuel Federanko <m.federanko@proxmox.com>
>> ---
>> pve-firewall.adoc | 11 ++++++++---
>> 1 file changed, 8 insertions(+), 3 deletions(-)
>>
>> diff --git a/pve-firewall.adoc b/pve-firewall.adoc
>> index f04134a..df396d1 100644
>> --- a/pve-firewall.adoc
>> +++ b/pve-firewall.adoc
>> @@ -172,9 +172,14 @@ set the enable option here:
>> enable: 1
>> ----
>>
>> -IMPORTANT: If you enable the firewall, traffic to all hosts is blocked by
>> -default. Only exceptions is WebGUI(8006) and ssh(22) from your local
>> -network.
>> +IMPORTANT: If you enable the firewall, traffic to all hosts is blocked
>> +by default. The only exceptions are the WebGUI(8006), ssh(22), corosync
>> +(5404:5405), VNC(5900:5999), SPICE(3128) and the migration ports
>> +(60000:60050) from your local network.
>> +
>> +Should you have other services running which communicate over the
>> +network, you will have to allow them seperately. For some common
>> +services there are `macros` available.
>>
>> If you want to administrate your {pve} hosts from remote, you
>> need to create rules to allow traffic from those remote IPs to the web
>
next prev parent reply other threads:[~2026-05-05 11:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-04 11:04 [PATCH docs] pve-firewall: update list of implicit rules Manuel Federanko
2026-05-04 11:10 ` Stefan Hanreich
2026-05-05 11:21 ` Manuel Federanko [this message]
2026-05-05 11:22 ` superseded: " Manuel Federanko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=206b2c30-f05e-42c3-8c93-8e1b45c47be1@proxmox.com \
--to=m.federanko@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox