From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: Re: [PATCH docs] pve-firewall: update list of implicit rules.
Date: Mon, 4 May 2026 13:10:29 +0200 [thread overview]
Message-ID: <d8dae8c9-a5d7-4c0d-aaa2-aa15b00c44f5@proxmox.com> (raw)
In-Reply-To: <20260504110438.71713-1-m.federanko@proxmox.com>
There is also a completely separate section which describes the default
firewall ruleset in greater detail [1]. It might make sense to link to
this section and maintain the full list there? This warning could then
be reformulated a bit (just a draft):
If you enable the firewall, traffic to all hosts will be blocked by
default - with some exceptions for traffic coming from the local network
to the WebUI, SSH and other important services. More information can be
found <link_to_default_rules_section>.
[1]
https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_datacenter_incoming_outgoing_drop_reject
On 5/4/26 1:03 PM, Manuel Federanko wrote:
> Updated the documentation note to reflect the current state of
> pve-firewall. Also added a section directing users to the macro system
> if they need additional rules.
>
> Suggested-by: Friedrich Weber <f.weber@proxmox.com>
> Signed-off-by: Manuel Federanko <m.federanko@proxmox.com>
> ---
> pve-firewall.adoc | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/pve-firewall.adoc b/pve-firewall.adoc
> index f04134a..df396d1 100644
> --- a/pve-firewall.adoc
> +++ b/pve-firewall.adoc
> @@ -172,9 +172,14 @@ set the enable option here:
> enable: 1
> ----
>
> -IMPORTANT: If you enable the firewall, traffic to all hosts is blocked by
> -default. Only exceptions is WebGUI(8006) and ssh(22) from your local
> -network.
> +IMPORTANT: If you enable the firewall, traffic to all hosts is blocked
> +by default. The only exceptions are the WebGUI(8006), ssh(22), corosync
> +(5404:5405), VNC(5900:5999), SPICE(3128) and the migration ports
> +(60000:60050) from your local network.
> +
> +Should you have other services running which communicate over the
> +network, you will have to allow them seperately. For some common
> +services there are `macros` available.
>
> If you want to administrate your {pve} hosts from remote, you
> need to create rules to allow traffic from those remote IPs to the web
prev parent reply other threads:[~2026-05-04 11:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-04 11:04 [PATCH docs] pve-firewall: update list of implicit rules Manuel Federanko
2026-05-04 11:10 ` Stefan Hanreich [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d8dae8c9-a5d7-4c0d-aaa2-aa15b00c44f5@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox