The Proxmox VE firewall leverages iptables of each Proxmox node for protection. The iptables is an application that allows you to manage rules tables for the Linux kernel firewall. All firewall rules and configurations are stored in the Proxmox cluster filesystem, thus allowing a distributed firewall system in the Proxmox cluster. The pre-firewall service provided by Proxmox for each node reads the rules and configurations from the cluster filesystem and automatically adjusts the local iptables. Rules can be fully created and maintained by the Proxmox GUI or CLI. The Proxmox firewall can be used in place of a virtualized firewall in the cluster.

As mentioned earlier, data center-specific firewall rules affect all resources, such as clusters, nodes, and virtual machines. Any rules created in this zone are cascaded to both hosts and VMs. This zone is also used to fully lock down a cluster to drop all incoming traffic and then only open what is required. In a freshly installed Proxmox cluster, the data center-wide firewall option is disabled.

Configuring the Datacenter firewall through the GUI

The following screenshot shows the Firewall option for the Datacenter zone through the Options tab by navigating to Datacenter | Firewall | Options:

As we can see in the preceding screenshot, by default the Proxmox firewall for the Datacenter zone is disabled with Input Policy set to DROP and Output Policy set to ACCEPT. If we did enable this firewall option right now...

Any rules created in the host zone only apply to the node where the rule itself was created and the VMs in that host node. Rules for one node do not get replicated to the other nodes, although the rule files are stored in the Proxmox cluster filesystem. There are no options to create IPSet or security groups in the host-specific firewall option. We can only create firewall rules. 

Rules created for a VM only apply to that particular virtual machine. Even when the virtual machine is moved to a different node, the firewall rule follows the VM throughout the cluster. There are no rules cascading from this zone. Under the VM firewall feature, we can create rules, aliases, and IPSets, but we cannot create a security group. The firewall management is the same for both the KVM virtual machines and LXC containers. We can go to the firewall feature of a VM by navigating to the VM | Firewall menu:

The security protection of the Proxmox VE firewall can be further enhanced by configuring an intrusion detection and prevention system such as Suricata. It is a high-performance IDS/IPS engine that is able to protect a virtual machine by rejecting traffic that may be possible intrusions. Currently, Snort and Suricata are two open source mainstream IDS/IPS available, although there are a few others. One of the primary advantages of Suricata is that it is multithreaded, whereas Snort is single-threaded. Suricata is under rapid deployment and has gained popularity in a short amount of time.

By default, Suricata is not installed on a Proxmox node. It needs to be manually installed and configured. As of Proxmox VE 5.0, Suricata can only be used to protect a virtual machine and not any Proxmox host nodes.

In this chapter, we learned about one of the most powerful features of Proxmox, the built-in firewall. We learned what it is and how to implement it to protect the entire cluster, Proxmox host nodes, and virtual machines. We learned how to manage the firewall rules and configuration using both the GUI and CLI. Proxmox adds security where it is needed the most. By leveraging a flexible and granular firewall protection at the hypervisor level, we are now able to have a better-secured cluster. This is not to say that firewall policies are not needed internally in each VM, but having a firewall built into the hypervisor offers an extra layer of protection from an infrastructural point of view.

In the next chapter, we are going to learn about the Proxmox VE High Availability feature for VMs, which has been completely redesigned from the ground up. The new changes brought higher stability while making the management and configuration a much simpler task.