[PATCH docs] pve-firewall: update list of implicit rules.

[PATCH docs] pve-firewall: update list of implicit rules.

[Manuel Federanko]

Updated the documentation note to reflect the current state of
pve-firewall. Also added a section directing users to the macro system
if they need additional rules.

Suggested-by: Friedrich Weber <f.weber@proxmox.com>
Signed-off-by: Manuel Federanko <m.federanko@proxmox.com>
---
 pve-firewall.adoc | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index f04134a..df396d1 100644
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -172,9 +172,14 @@ set the enable option here:
 enable: 1
 ----
 
-IMPORTANT: If you enable the firewall, traffic to all hosts is blocked by
-default. Only exceptions is WebGUI(8006) and ssh(22) from your local
-network.
+IMPORTANT: If you enable the firewall, traffic to all hosts is blocked
+by default. The only exceptions are the WebGUI(8006), ssh(22), corosync
+(5404:5405), VNC(5900:5999), SPICE(3128) and the migration ports
+(60000:60050) from your local network.
+
+Should you have other services running which communicate over the
+network, you will have to allow them seperately. For some common
+services there are `macros` available.
 
 If you want to administrate your {pve} hosts from remote, you
 need to create rules to allow traffic from those remote IPs to the web
-- 
2.47.3

Re: [PATCH docs] pve-firewall: update list of implicit rules.

[Stefan Hanreich]

There is also a completely separate section which describes the default
firewall ruleset in greater detail [1]. It might make sense to link to
this section and maintain the full list there? This warning could then
be reformulated a bit (just a draft):

If you enable the firewall, traffic to all hosts will be blocked by
default - with some exceptions for traffic coming from the local network
to the WebUI, SSH and other important services. More information can be
found <link_to_default_rules_section>.


[1]
https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_datacenter_incoming_outgoing_drop_reject

On 5/4/26 1:03 PM, Manuel Federanko wrote:
> Updated the documentation note to reflect the current state of
> pve-firewall. Also added a section directing users to the macro system
> if they need additional rules.
> 
> Suggested-by: Friedrich Weber <f.weber@proxmox.com>
> Signed-off-by: Manuel Federanko <m.federanko@proxmox.com>
> ---
>  pve-firewall.adoc | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/pve-firewall.adoc b/pve-firewall.adoc
> index f04134a..df396d1 100644
> --- a/pve-firewall.adoc
> +++ b/pve-firewall.adoc
> @@ -172,9 +172,14 @@ set the enable option here:
>  enable: 1
>  ----
>  
> -IMPORTANT: If you enable the firewall, traffic to all hosts is blocked by
> -default. Only exceptions is WebGUI(8006) and ssh(22) from your local
> -network.
> +IMPORTANT: If you enable the firewall, traffic to all hosts is blocked
> +by default. The only exceptions are the WebGUI(8006), ssh(22), corosync
> +(5404:5405), VNC(5900:5999), SPICE(3128) and the migration ports
> +(60000:60050) from your local network.
> +
> +Should you have other services running which communicate over the
> +network, you will have to allow them seperately. For some common
> +services there are `macros` available.
>  
>  If you want to administrate your {pve} hosts from remote, you
>  need to create rules to allow traffic from those remote IPs to the web

Re: [PATCH docs] pve-firewall: update list of implicit rules.

[Manuel Federanko]

On 2026-05-04 1:09 PM, Stefan Hanreich wrote:
> There is also a completely separate section which describes the default
> firewall ruleset in greater detail [1]. It might make sense to link to
> this section and maintain the full list there? This warning could then
> be reformulated a bit (just a draft):
> 
> If you enable the firewall, traffic to all hosts will be blocked by
> default - with some exceptions for traffic coming from the local network
> to the WebUI, SSH and other important services. More information can be
> found <link_to_default_rules_section>.
> 
> 
> [1]
> https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_datacenter_incoming_outgoing_drop_reject

Thanks for the feedback! I just sent a v2

> On 5/4/26 1:03 PM, Manuel Federanko wrote:
>> Updated the documentation note to reflect the current state of
>> pve-firewall. Also added a section directing users to the macro system
>> if they need additional rules.
>> 
>> Suggested-by: Friedrich Weber <f.weber@proxmox.com>
>> Signed-off-by: Manuel Federanko <m.federanko@proxmox.com>
>> ---
>>  pve-firewall.adoc | 11 ++++++++---
>>  1 file changed, 8 insertions(+), 3 deletions(-)
>> 
>> diff --git a/pve-firewall.adoc b/pve-firewall.adoc
>> index f04134a..df396d1 100644
>> --- a/pve-firewall.adoc
>> +++ b/pve-firewall.adoc
>> @@ -172,9 +172,14 @@ set the enable option here:
>>  enable: 1
>>  ----
>>  
>> -IMPORTANT: If you enable the firewall, traffic to all hosts is blocked by
>> -default. Only exceptions is WebGUI(8006) and ssh(22) from your local
>> -network.
>> +IMPORTANT: If you enable the firewall, traffic to all hosts is blocked
>> +by default. The only exceptions are the WebGUI(8006), ssh(22), corosync
>> +(5404:5405), VNC(5900:5999), SPICE(3128) and the migration ports
>> +(60000:60050) from your local network.
>> +
>> +Should you have other services running which communicate over the
>> +network, you will have to allow them seperately. For some common
>> +services there are `macros` available.
>>  
>>  If you want to administrate your {pve} hosts from remote, you
>>  need to create rules to allow traffic from those remote IPs to the web
> 

superseded: [PATCH docs] pve-firewall: update list of implicit rules.

[Manuel Federanko]

Superseded-by: https://lore.proxmox.com/pve-devel/20260505112049.52552-1-m.federanko@proxmox.com/T/#u