+
+Enabling the Firewall
+^^^^^^^^^^^^^^^^^^^^^
+
+The firewall is completely disabled by default, so you need to
+set the enable option here:
+
+----
+[OPTIONS]
+# enable firewall (cluster wide setting, default is disabled)
+enable: 1
+----
+
+IMPORTANT: If you enable the firewall, traffic to all hosts is blocked by
+default. Only exceptions is WebGUI(8006) and ssh(22) from your local
+network.
+
+If you want to administrate your {pve} hosts from remote, you
+need to create rules to allow traffic from those remote IPs to the web
+GUI (port 8006). You may also want to allow ssh (port 22), and maybe
+SPICE (port 3128).
+
+TIP: Please open a SSH connection to one of your {PVE} hosts before
+enabling the firewall. That way you still have access to the host if
+something goes wrong .
+
+To simplify that task, you can instead create an IPSet called
+'management', and add all remote IPs there. This creates all required
+firewall rules to access the GUI from remote.
+
+