Hello there,
I was wondering how I could create a completely isolated network with LXD. By completely isolated I mean :
- no containers should be able to see and interact with the LXD Host.
- containers should still be able to communicate with each other.
My main goal is to keep gui apps into a “network quarantine” incase one of them would get infected by a malware or something. I also understand the difference between virtualization and containerization in terms of security. It just looks like a good middle-of-the-road choice between performances and security.
Here’s an overview of what I wanna setup :
+----------+
| |
| local network, internet,
| and everything
| |
+----+-----+
|
+----------+---------+
| |
| NETWORK |
| lxdbr0 |
| nat, dhcp and dns enabled
+---------+----------+
|
|
|
+-----+------+
| |
| CONTAINER |
| tor-proxy |
| just a socks proxy running tor as a client.
+-----+------+
|
|
|
+----------+----------+
| |
| NETWORK |
| lxdbr-ISOLATED |
| nat, dhcp and dns disabled.
| no access to the main lxd HOST
+----------+----------+
|
+--------------------------------------------+
| | |
+-----+------+ +-+----------+ +------+------+
| | | | | |
| CONTAINER | | CONTAINER | | CONTAINER |
| firefox-ISOLATED | konversation-ISOLATED| kmail-ISOLATED
| | | | | |
| | | | | |
+------------+ +------------+ +-------------+
It means setting up a network in such way :
- assigning it to a new profile and make sure the default network has been removed from it
- disabling ipv4/ipv6 nat and dhcp. also setting the
dns.mode
tonone
- some sort of ipv4/ipv6 firewall configuration. I dont know how it works cause the
ipv4.firewall
key seems poorly documented. All I know is that there is some kind of automatic firewall rules creation process.
So my final question is : is there anything I missed while planning my config ? any terrible mistake that could compromise my host ?
And also what is this ipv4.firewall
config key?