Proxmox 防火墙规则

Datacenter incoming/outgoing DROP/REJECT
If the input or output policy for the firewall is set to DROP or REJECT, the following traffic is still allowed for all Proxmox VE hosts in the cluster:

traffic over the loopback interface

already established connections

traffic using the IGMP protocol

TCP traffic from management hosts to port 8006 in order to allow access to the web interface

TCP traffic from management hosts to the port range 5900 to 5999 allowing traffic for the VNC web console

TCP traffic from management hosts to port 3128 for connections to the SPICE proxy

TCP traffic from management hosts to port 22 to allow ssh access

UDP traffic in the cluster network to port 5404 and 5405 for corosync

UDP multicast traffic in the cluster network

ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11 (Time Exceeded)

The following traffic is dropped, but not logged even with logging enabled:

TCP connections with invalid connection state

Broadcast, multicast and anycast traffic not related to corosync, i.e., not coming through port 5404 or 5405

TCP traffic to port 43

UDP traffic to ports 135 and 445

UDP traffic to the port range 137 to 139

UDP traffic form source port 137 to port range 1024 to 65535

UDP traffic to port 1900

TCP traffic to port 135, 139 and 445

UDP traffic originating from source port 53

The rest of the traffic is dropped or rejected, respectively, and also logged. This may vary depending on the additional options enabled in Firewall → Options, such as NDP, SMURFS and TCP flag filtering.

Please inspect the output of the