Site icon Fix I.T. Phill – Your Go-To Tech Guru

How To Install Shorewall And Configure It To Harden Proxmox VE

admin
Proxmox VE Shorewall firewall hardening checklist with management allowlist and rollback planning

Proxmox VE Shorewall firewall hardening checklist with management allowlist and rollback planning

Proxmox Upgrade Chain

Proxmox upgrades are chained. If you are catching up from an older host, work forward instead of jumping blind: 7.4 to 8.0, 8.2/8.3 to 8.4, 8.4 to 9.1, then the Proxmox VE 9.2 upgrade checklist. For new hardware, use the separate Proxmox VE 9.2 fresh install guide.

2026 Proxmox firewall update

Shorewall can still be useful, but do not lock yourself out of a Proxmox host. Before applying firewall changes, confirm console access, management IP allowlists, cluster/corosync needs, migration ports, backup traffic, and rollback steps. Also compare this approach against the built-in Proxmox firewall in the official Proxmox VE docs.

Shorewall is a powerful firewall tool that can help secure your Proxmox VE server. In this tutorial, we’ll cover how to install Shorewall and configure it to harden your Proxmox VE server.

  1. Install Shorewall on Proxmox VE To install Shorewall on Proxmox VE, follow these steps:
  2. Log in to your Proxmox VE server as the root user.
  3. Open a terminal window and run the following command to install Shorewall:

    apt-get install shorewall

    This will install Shorewall on your Proxmox VE server.
  4. Configure Shorewall Once Shorewall is installed, you need to configure it to harden your Proxmox VE server. Here are the steps:
  5. Open the shorewall configuration file in a text editor.
    The file is located at /etc/shorewall/shorewall.conf.
  6. Set the STARTUP_ENABLED option to Yes to enable Shorewall at startup:

    STARTUP_ENABLED=Yes
  7. Add your Proxmox VE server IP address to the shorewall/interfaces file. The IP address should be added to the net section:

    net eth0 dhcp,routeback
  8. Create a new configuration file for Shorewall rules.
    You can name it anything you like, but it should end with .rules. For example, proxmox.rules.
  9. Open the new configuration file in a text editor and add the following rules:

    # Allow all traffic on the loopback interface
    ACCEPT loc $FW all

    # Allow SSH traffic from any IP address
    ACCEPT net $FW tcp 22

    # Allow HTTP and HTTPS traffic from any IP address
    ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 443

    # Deny all other traffic
    DROP net all all

    These rules allow SSH, HTTP, and HTTPS traffic to your Proxmox VE server and deny all other traffic.
  10. Save the configuration file and exit the text editor.
  11. Test your configuration by running the following command:sqlCopy codeshorewall check This will check the Shorewall configuration for errors.
  12. If there are no errors, start Shorewall by running the following command:

    service shorewall start

    Shorewall is now running and securing your Proxmox VE server.

Congratulations, you’ve successfully installed and configured Shorewall to harden your Proxmox VE server.

Current Firewall And SDN Note

This Shorewall guide is from an older Proxmox VE era. Current Proxmox VE releases include major firewall and SDN changes, including stronger SDN visibility in 9.1. Review the newer upgrade path before applying old firewall assumptions to a current cluster.

Exit mobile version