Getting into the defcon look of things, I've been working on securing my LAN event NOC from the secret hackers on the main vlan, vlan1. I have my proxmox host on 2 tagges vlans. vlan1 and vlan4. Vlan4 is the management VLAN. I know I can change the listen address, but that doesn't stop hackers from changing their ip to within the allowed subnet, then accessing the ip through vlan1. I need an actual firewall rule. Problem is... I dont know where to start with making a rule. I want to block port 8006 https and port 22 tcp on interface vlan1, but none of my attempts with the firewall have worked. Is there some voodoo magic that I need to do in order to get my firewall rules to work?
If they're on VLAN1 it shouldn't matter if they change their IP or not, that can't access VLAN4 unless you have the two networks routed, in which case this is where you should have a firewall.
But to answer your question you should be able to install UFW on proxmox, this will make configuring the firewall pretty simple. Once its installed the default action will be to deny all incomming traffic so just create rules for the traffic you wish to allow.
and example would be:
ufw allow from 10.1.1.0/24 proto tcp to 10.1.1.1 port 22
The from address can be a subnet, and address or just any, proto can be tcp, udp, etc. the to address should be the interface address that the rule is for and port is the port number of whatever you want to allow.
You'll probably need to run ufw enable to turn on the firewall and ufw reload if you make any changes, you can also use ufw status to see the status and a list of firewall rules.