.. /pve-firewall

Star

pve-firewall manages the Proxmox VE firewall including cluster-wide rules, host rules, and per-VM/container rules. Adversaries can manipulate firewall rules to enable lateral movement, disable security controls, or establish persistence through allowed network paths.

Paths

• /usr/sbin/pve-firewall
• /etc/pve/firewall/cluster.fw
• /etc/pve/firewall/

Resources

• https://pve.proxmox.com/pve-docs/pve-firewall.8.html
• https://pve.proxmox.com/wiki/Firewall

Detection

• Monitor /etc/pve/firewall/ for changes
• Watch for firewall disable operations
• Alert on permissive rule additions

Acknowledgements

• ZephrFish

Discovery

1. Show firewall status for the cluster and local node.

   pve-firewall status

   Use Case Determine if firewall is enabled and identify security posture.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pve-firewall status

   • pve-firewall localnet

   ATT&CK Technique T1082

2. Read cluster-wide firewall rules.

   cat /etc/pve/firewall/cluster.fw

   Use Case Understand network security rules for planning lateral movement.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1082

3. Read host-specific firewall rules.

   cat /etc/pve/nodes/{node}/host.fw

   Use Case Identify node-specific security configurations.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1082

4. Read VM/container-specific firewall rules.

   cat /etc/pve/firewall/{vmid}.fw

   Use Case Identify per-VM security rules and potential bypass opportunities.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1082

5. Compile and display the iptables rules that will be applied.

   pve-firewall compile

   Use Case Understand exact iptables rules for firewall bypass planning.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pve-firewall compile | grep -E "ACCEPT|DROP"

   ATT&CK Technique T1082

Defense Evasion

1. Disable the firewall on a specific node.

   pvesh set /nodes/{node}/firewall/options --enable 0

   Use Case Disable firewall to enable unrestricted network access.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1562.004

   Tags

   Defense Evasion

2. Add a firewall rule allowing inbound traffic.

   pvesh create /cluster/firewall/rules --action ACCEPT --type in --source 0.0.0.0/0 --dport 4444 --proto tcp

   Use Case Create firewall exceptions for C2 traffic or lateral movement.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1562.004