Firewall Management - FreshPerf/PVE4J GitHub Wiki
This guide covers VM firewall configuration, rules, and IP set management in PVE4J.
- Firewall Options
- Firewall Rules
- IP Set Management
- IP Set Members
- Common Firewall Configurations
- Firewall Management Helper
import fr.freshperf.pve4j.entities.nodes.node.qemu.firewall.PveQemuFirewallOptions;
try {
PveQemuFirewallOptions options = proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.getOptions()
.execute();
System.out.println("DHCP: " + options.getDhcp());
System.out.println("Enabled: " + options.getEnable());
System.out.println("IPv6: " + options.getIpv6());
System.out.println("Log Level In: " + options.getLogLevelIn());
System.out.println("Log Level Out: " + options.getLogLevelOut());
System.out.println("MAC Filter: " + options.getMacfilter());
System.out.println("NDP: " + options.getNdp());
System.out.println("Policy In: " + options.getPolicyIn());
System.out.println("Policy Out: " + options.getPolicyOut());
System.out.println("RADV: " + options.getRadv());
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}import fr.freshperf.pve4j.entities.nodes.node.qemu.firewall.PveQemuFirewallOptionsUpdate;
import fr.freshperf.pve4j.entities.PveTask;
try {
PveQemuFirewallOptionsUpdate options = PveQemuFirewallOptionsUpdate.builder()
.enable(true)
.dhcp(true)
.ipv6(true)
.logLevelIn("info")
.logLevelOut("info")
.policyIn("DROP")
.policyOut("ACCEPT")
.build();
PveTask task = proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.updateOptions(options)
.waitForCompletion(proxmox)
.execute();
System.out.println("Firewall options updated successfully!");
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}// Enable
try {
PveQemuFirewallOptionsUpdate options = PveQemuFirewallOptionsUpdate.builder()
.enable(true)
.build();
proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.updateOptions(options)
.waitForCompletion(proxmox)
.execute();
System.out.println("Firewall enabled for VM 100");
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}
// Disable
try {
PveQemuFirewallOptionsUpdate options = PveQemuFirewallOptionsUpdate.builder()
.enable(false)
.build();
proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.updateOptions(options)
.waitForCompletion(proxmox)
.execute();
System.out.println("Firewall disabled for VM 100");
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}import fr.freshperf.pve4j.entities.nodes.node.qemu.firewall.rules.PveFirewallRule;
try {
List<PveFirewallRule> rules = proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.getRules()
.list()
.execute();
for (PveFirewallRule rule : rules) {
System.out.println("Rule: " + rule);
}
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}try {
PveFirewallRule rule = proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.getRules()
.get(0) // position
.execute();
System.out.println("Rule at position 0: " + rule);
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}import fr.freshperf.pve4j.entities.nodes.node.qemu.firewall.rules.PveFirewallRuleCreateOptions;
try {
PveFirewallRuleCreateOptions options = PveFirewallRuleCreateOptions.builder()
// Configure rule options (type, action, direction, etc.)
.build();
proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.getRules()
.create(options)
.execute();
System.out.println("Firewall rule created!");
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}try {
PveFirewallRuleCreateOptions options = PveFirewallRuleCreateOptions.builder()
// Updated rule options
.build();
proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.getRules()
.update(0, options) // update rule at position 0
.execute();
System.out.println("Firewall rule updated!");
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}try {
proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.getRules()
.delete(0) // delete rule at position 0
.execute();
System.out.println("Firewall rule deleted!");
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}import fr.freshperf.pve4j.entities.nodes.node.qemu.firewall.ipset.PveQemuFirewallIpSetEntry;
try {
List<PveQemuFirewallIpSetEntry> ipsets = proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.getIpSet()
.list()
.execute();
for (PveQemuFirewallIpSetEntry ipset : ipsets) {
System.out.println("IP Set: " + ipset);
}
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}import fr.freshperf.pve4j.entities.nodes.node.qemu.firewall.ipset.PveQemuFirewallIpSetCreateOptions;
try {
PveQemuFirewallIpSetCreateOptions options = PveQemuFirewallIpSetCreateOptions.builder()
.build();
proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.getIpSet()
.create("trusted-ips", options)
.execute();
System.out.println("IP Set 'trusted-ips' created!");
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}try {
proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.getIpSet()
.rename("old-name", "new-name", PveQemuFirewallIpSetCreateOptions.builder().build())
.execute();
System.out.println("IP Set renamed!");
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}try {
proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.getIpSet()
.delete("trusted-ips", false)
.execute();
System.out.println("IP Set deleted!");
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}import fr.freshperf.pve4j.entities.nodes.node.qemu.firewall.ipset.PveQemuFirewallIpSetMember;
try {
List<PveQemuFirewallIpSetMember> members = proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.getIpSet()
.listMembers("trusted-ips")
.execute();
for (PveQemuFirewallIpSetMember member : members) {
System.out.println("CIDR: " + member.getCidr());
System.out.println("Comment: " + member.getComment());
System.out.println("---");
}
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}import fr.freshperf.pve4j.entities.nodes.node.qemu.firewall.ipset.PveQemuFirewallIpSetMemberCreateOptions;
try {
PveQemuFirewallIpSetMemberCreateOptions options =
PveQemuFirewallIpSetMemberCreateOptions.builder()
.build();
proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.getIpSet()
.addMember("trusted-ips", "192.168.1.0/24", options)
.execute();
System.out.println("IP range added to IP Set!");
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}try {
PveQemuFirewallIpSetMember member = proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.getIpSet()
.getMember("trusted-ips", "192.168.1.0/24")
.execute();
System.out.println("Member: " + member);
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}import fr.freshperf.pve4j.entities.nodes.node.qemu.firewall.ipset.PveQemuFirewallIpSetMemberUpdateOptions;
try {
PveQemuFirewallIpSetMemberUpdateOptions options =
PveQemuFirewallIpSetMemberUpdateOptions.builder()
.build();
proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.getIpSet()
.updateMember("trusted-ips", "192.168.1.0/24", options)
.execute();
System.out.println("IP Set member updated!");
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}try {
proxmox.getNodes()
.get("pve-node-01")
.getQemu()
.get(100)
.getFirewall()
.getIpSet()
.deleteMember("trusted-ips", "192.168.1.0/24", null)
.execute();
System.out.println("IP removed from IP Set!");
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}public void configureWebServerFirewall(Proxmox proxmox, String node, int vmid) {
try {
// Enable firewall with restrictive default policy
PveQemuFirewallOptionsUpdate options = PveQemuFirewallOptionsUpdate.builder()
.enable(true)
.policyIn("DROP")
.policyOut("ACCEPT")
.dhcp(true)
.build();
proxmox.getNodes()
.get(node)
.getQemu()
.get(vmid)
.getFirewall()
.updateOptions(options)
.waitForCompletion(proxmox)
.execute();
// Create IP set for allowed management IPs
PveQemuFirewallIpSetCreateOptions ipsetOptions =
PveQemuFirewallIpSetCreateOptions.builder()
.build();
proxmox.getNodes()
.get(node)
.getQemu()
.get(vmid)
.getFirewall()
.getIpSet()
.create("admin-access", ipsetOptions)
.execute();
System.out.println("Web server firewall configured");
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}
}public void configureDatabaseFirewall(Proxmox proxmox, String node, int vmid,
List<String> allowedIPs) {
try {
// Enable firewall
PveQemuFirewallOptionsUpdate options = PveQemuFirewallOptionsUpdate.builder()
.enable(true)
.policyIn("DROP")
.policyOut("ACCEPT")
.build();
proxmox.getNodes()
.get(node)
.getQemu()
.get(vmid)
.getFirewall()
.updateOptions(options)
.waitForCompletion(proxmox)
.execute();
// Create IP set for database clients
proxmox.getNodes()
.get(node)
.getQemu()
.get(vmid)
.getFirewall()
.getIpSet()
.create("db-clients", PveQemuFirewallIpSetCreateOptions.builder().build())
.execute();
// Add allowed IPs
for (String ip : allowedIPs) {
PveQemuFirewallIpSetMemberCreateOptions memberOptions =
PveQemuFirewallIpSetMemberCreateOptions.builder()
.build();
proxmox.getNodes()
.get(node)
.getQemu()
.get(vmid)
.getFirewall()
.getIpSet()
.addMember("db-clients", ip, memberOptions)
.execute();
}
System.out.println("Database firewall configured with " + allowedIPs.size() + " allowed IPs");
} catch (ProxmoxAPIError | InterruptedException e) {
e.printStackTrace();
}
}public class FirewallManager {
private final Proxmox proxmox;
private final String node;
private final int vmid;
public FirewallManager(Proxmox proxmox, String node, int vmid) {
this.proxmox = proxmox;
this.node = node;
this.vmid = vmid;
}
public void enableFirewall() throws ProxmoxAPIError, InterruptedException {
PveQemuFirewallOptionsUpdate options = PveQemuFirewallOptionsUpdate.builder()
.enable(true)
.build();
proxmox.getNodes().get(node).getQemu().get(vmid)
.getFirewall()
.updateOptions(options)
.waitForCompletion(proxmox)
.execute();
}
public void disableFirewall() throws ProxmoxAPIError, InterruptedException {
PveQemuFirewallOptionsUpdate options = PveQemuFirewallOptionsUpdate.builder()
.enable(false)
.build();
proxmox.getNodes().get(node).getQemu().get(vmid)
.getFirewall()
.updateOptions(options)
.waitForCompletion(proxmox)
.execute();
}
public void createIPSet(String name) throws ProxmoxAPIError, InterruptedException {
proxmox.getNodes().get(node).getQemu().get(vmid)
.getFirewall()
.getIpSet()
.create(name, PveQemuFirewallIpSetCreateOptions.builder().build())
.execute();
}
public void addIPToSet(String setName, String cidr)
throws ProxmoxAPIError, InterruptedException {
proxmox.getNodes().get(node).getQemu().get(vmid)
.getFirewall()
.getIpSet()
.addMember(setName, cidr, PveQemuFirewallIpSetMemberCreateOptions.builder().build())
.execute();
}
public void removeIPFromSet(String setName, String cidr)
throws ProxmoxAPIError, InterruptedException {
proxmox.getNodes().get(node).getQemu().get(vmid)
.getFirewall()
.getIpSet()
.deleteMember(setName, cidr, null)
.execute();
}
}- VM Management - Complete VM operations
- Access Control - User permissions