Hi there,
After having connection issues within a test container, I had a read through this page which greatly helped (I took influence from the ufw commands found in the “more advanced rules” box).
I have it working now, but I’m wondering…
Have I overlooked anything that might lead to a security issue?
Or in other words, do my comments match the reality of the commands?
# Allow *almost* any outbound traffic from the Incus interface/subnet
nft insert rule ip filter INPUT index 3 iif "incusbr0" ip saddr 10.136.205.0/24 counter accept
# Allow DHCP outbound traffic when container does not yet have an IP address
nft insert rule ip filter INPUT index 3 iif "incusbr0" ip saddr 0.0.0.0/32 ip daddr 255.255.255.255 counter accept
# Similar to above commands in allowing any outbound traffic, but covering the forwarding-stage to the real interface
nft insert rule ip filter FORWARD index 0 iif "incusbr0" oif "ens3" ip saddr 10.136.205.0/24 counter accept
# Allow inbound traffic to be forwarded *only* in the case it's a connection my container initiated
nft insert rule ip filter FORWARD index 0 ct state established,related iif "ens3" oif "incusbr0" counter accept
Thanks for any advice!