Random notes from a security-aware software engineer, open-source advocate and occasional lecturer.
⚠ Warning: Don’t just flip the firewall switch on. The default policy is deny, so unless you already have rules allowing management access, you will instantly lock yourself out of the web UI and SSH.
Before you start:
Go to Datacenter → Firewall and add the following rules before enabling anything:
| Direction | Action | Enable | Protocol | Port / Macro |
|---|---|---|---|---|
| IN | ACCEPT | true | TCP | 8006 (PVE web interface) |
| IN | ACCEPT | true | – | macro: SSH |
| IN | ACCEPT | true | – | macro: Ping |
Only once the rules above exist, go to Datacenter → Firewall → Options and set:
YesThat’s it. Nodes now enforce the datacenter rules, and you can add node-specific overrides or VM/interface-level firewalls as needed. Just remember that VMs need their own firewall and rules enabled, since they don’t inherit any of the above.
</content>