From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 15A341FF136 for ; Mon, 04 May 2026 13:11:08 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id CC5191A173; Mon, 4 May 2026 13:11:05 +0200 (CEST) Message-ID: Date: Mon, 4 May 2026 13:10:29 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH docs] pve-firewall: update list of implicit rules. To: pve-devel@lists.proxmox.com References: <20260504110438.71713-1-m.federanko@proxmox.com> Content-Language: en-US From: Stefan Hanreich In-Reply-To: <20260504110438.71713-1-m.federanko@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.690 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: W55EEXQKLLVRCYFOCQFBCZDZ7UZ4DFEP X-Message-ID-Hash: W55EEXQKLLVRCYFOCQFBCZDZ7UZ4DFEP X-MailFrom: s.hanreich@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: There is also a completely separate section which describes the default firewall ruleset in greater detail [1]. It might make sense to link to this section and maintain the full list there? This warning could then be reformulated a bit (just a draft): If you enable the firewall, traffic to all hosts will be blocked by default - with some exceptions for traffic coming from the local network to the WebUI, SSH and other important services. More information can be found . [1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_datacenter_incoming_outgoing_drop_reject On 5/4/26 1:03 PM, Manuel Federanko wrote: > Updated the documentation note to reflect the current state of > pve-firewall. Also added a section directing users to the macro system > if they need additional rules. > > Suggested-by: Friedrich Weber > Signed-off-by: Manuel Federanko > --- > pve-firewall.adoc | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) > > diff --git a/pve-firewall.adoc b/pve-firewall.adoc > index f04134a..df396d1 100644 > --- a/pve-firewall.adoc > +++ b/pve-firewall.adoc > @@ -172,9 +172,14 @@ set the enable option here: > enable: 1 > ---- > > -IMPORTANT: If you enable the firewall, traffic to all hosts is blocked by > -default. Only exceptions is WebGUI(8006) and ssh(22) from your local > -network. > +IMPORTANT: If you enable the firewall, traffic to all hosts is blocked > +by default. The only exceptions are the WebGUI(8006), ssh(22), corosync > +(5404:5405), VNC(5900:5999), SPICE(3128) and the migration ports > +(60000:60050) from your local network. > + > +Should you have other services running which communicate over the > +network, you will have to allow them seperately. For some common > +services there are `macros` available. > > If you want to administrate your {pve} hosts from remote, you > need to create rules to allow traffic from those remote IPs to the web