+IMPORTANT: If you enable the firewall, traffic to all hosts is blocked by
+default. Only exceptions is WebGUI(8006) and ssh(22) from your local
+network.
+
+If you want to administrate your {pve} hosts from remote, you
+need to create rules to allow traffic from those remote IPs to the web
+GUI (port 8006). You may also want to allow ssh (port 22), and maybe
+SPICE (port 3128).
+
+TIP: Please open a SSH connection to one of your {PVE} hosts before
+enabling the firewall. That way you still have access to the host if
+something goes wrong .
+
+To simplify that task, you can instead create an IPSet called
+``management'', and add all remote IPs there. This creates all required
+firewall rules to access the GUI from remote.
+
+
+[[pve_firewall_host_specific_configuration]]
+Host Specific Configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Host related configuration is read from:
+
+ /etc/pve/nodes/<nodename>/host.fw
+
+This is useful if you want to overwrite rules from `cluster.fw`
+config. You can also increase log verbosity, and set netfilter related
+options. The configuration can contain the following sections:
+
+`[OPTIONS]`::