Although the Proxmox firewall can be managed entirely from the Proxmox GUI, at times accessing the rules from the CLI may be necessary, especially when a cluster is locked out due to the misconfiguration of firewall rules. All firewall configurations and rules follow the same naming format, with the .fw extension. The firewall configuration and rule files are stored in two different directories for all three zones:
/etc/pve/firewall/cluster.fw
This is the data center configuration and zone rule file. All other data center-wide firewall information, such as security groups and IPSets, are also stored in this single file. We can enable or disable the data center-wide firewall by editing this configuration file:
/etc/pve/nodes/<node_name>/host.fw
Do not enable the data center-wide firewall before reading the Configuring the data center-specific firewall section later in this chapter.
This is the configuration and rules file for a Proxmox node or host:
/etc/pve/firewall/<vm_id>.fw
Each virtual machine, whether it is KVM or LXC, has a separate firewall configuration file with its VM ID stored in the same directory the data center firewall file is stored.
When new rules are created or edited through the Proxmox GUI, these are the files that get changed. Whether the changes are made through the GUI or CLI, all rules take effect immediately. There are no reboots or restarting of a firewall service required.