How to Use the Firewall Print

How To Use The Firewall

The firewall lets you control which network traffic can reach your server and which traffic your server can send out. This guide covers enabling the firewall from Firewall Options, adding rules, rule order, default policies, and backups.

Where to find it

1. Log in to the Client Area.
2. Go to Services → select your Proxmox VPS/Cloud service.
3. Use the Firewall tab to manage rules, and Firewall Options to enable the firewall & set defaults.

Firewall basics

• Rules are evaluated top → bottom. Put specific allows above broader blocks.
• Each rule has: Direction (In/Out), Action (Accept/Drop/Reject), Source, Destination, optional Interface (if visible), and either a Macro or a Protocol/Ports definition.
• You can also attach Security Groups (predefined rule sets we maintain).

Enable the firewall (Firewall Options)

1. Open Firewall Options.
2. Click Edit, toggle Enable (per-VM firewall), then Save/Apply.

Default policies (Firewall Options)

Default policies are the fallback action when no rule matches:

• Default Input Policy — packets to your VM when no rule matches: ACCEPT, DROP, or REJECT.
• Default Output Policy — packets from your VM when no rule matches: ACCEPT, DROP, or REJECT.

Recommended workflow: Start with Input = ACCEPT and Output = ACCEPT while you add allow rules. After verifying access, change Input (and optionally Output) to DROP or REJECT to harden. DROP is silent; REJECT sends an explicit refusal.

Macro vs Protocol — what’s the difference?

You can define a rule in exactly one of these ways:

1. Macro — pick a predefined service (e.g., SSH, HTTP/HTTPS, DNS, Ping). It auto-fills protocol and ports.
2. Protocol/Ports — explicitly choose Protocol (TCP/UDP/ICMP) and set Source/Destination Port (single, list, or range).

Important: Do not set both Macro and Protocol/Ports in the same rule. They are alternatives. If you need multiple services, create multiple rules (e.g., one Macro for HTTP/HTTPS + one Protocol rule for SSH).

Add common allow rules

Go to Firewall → Add Rule, fill the fields, then Confirm. Repeat for each service.

Allow SSH from your current IP (recommended)

• Direction: In
• Action: Accept
• Macro: leave empty
• Protocol: TCP
• Destination Port: 22 (or your custom SSH port)
• Source: YOUR.PUBLIC.IP.ADDR/32
• Destination: your server IP (or “this VM”)
• Comment: Allow SSH from my IP

Allow HTTP/HTTPS (public websites)

• Direction: In
• Action: Accept
• Macro: HTTP/HTTPS (or set Protocol TCP, Dest Ports 80,443)
• Source: 0.0.0.0/0 (or restrict to CDN/WAF IPs)
• Destination: your server IP
• Comment: Public web

Allow ICMP (optional: ping)

• Direction: In
• Action: Accept
• Macro: Ping/ICMP (or Protocol ICMP)
• Source: 0.0.0.0/0

Prioritize (reorder) rules

1. Use Move Up/Move Down (or drag, if available) to change order.
2. Place specific allows above any broader deny rules.

Outbound (egress) rules

1. Add Direction: Out, Action: Accept rules for destinations/ports you allow (e.g., TCP 443 to 0.0.0.0/0 for HTTPS).
2. (Optional) Add a broader Out rule with Action: Drop/Reject below your allows to block the rest.

Backup & restore firewall rules

1. Click Download/Export Rules to save your current rules.
2. Use Restore/Import Rules to apply a previously saved rules file after reinstalls.

Troubleshooting

• Locked out? Use the noVNC/HTML5 console to revert or open a support ticket.
• Rule ignored? Check rule order, make sure it’s Enabled, and ensure you didn’t set both Macro and Protocol/Ports in the same rule.
• Still no access? Confirm the service is running, ports/protocols match, and any in-guest firewall (ufw/firewalld/Windows) aligns with your intent.