Proxmox Firewall Rules

Proxmox uses various ports for communication between either a user and the server or between multiple servers in a cluster. You may need to proxy or port forward some of these ports for external access to Proxmox or, in more strict environments, add rules to allow inter machine communication.

For external access to Proxmox you will use either SSH, the web console or SPICE. The following ports are used for each of these services:

• Web console: 8006 TCP – this is the console you open in your web browser to administer Proxmox. Note: VNC terminals will not work on this port alone.
• VNC console: 5900 – 5999 TCP – this range of ports is used for the VNC console/ terminal. The reason there is a range is because each open session requires it’s own port meaning that you can have a total of 100 open VNC sessions at once.
• SPICE: 3128 TCP – this is used if you use SPICE instead of the VNC console. SPICE requires a client to connect.
• SSH: 22 TCP – this is required for accessing your Proxmox server using SSH.

An additional set of ports are required if you are using Proxmox in a cluster.

• CMAN: 5404 and 5405 UDP – this is the cluster manager for the Proxmox cluster.