Correct firewall settings for host with multiple containers

I’ve been searching in this forum for an answer to this but couldn’t find one, apologies if this is a duplicate.

I have an Ubuntu 18.04 host running on a VPS with two containers, each of which run Debian buster. One of those containers is running Caddy as a reverse proxy and the other is running an XMPP server. I am using proxy devices to forward the following ports:

  • tcp:80 & tcp:443 --> Caddy (type proxy)
  • tcp:5222, tcp:5000, tcp:5269 --> XMPP (type proxy)

When I run # netstat -tulpn on my host I see that in addition to these ports ports 53 and 67 are also open with the programs dnsmasq and systemd-resolve listening on those ports. In addition to port 22 for ssh, which I expect.

Question 1:
I would like to secure the host machine with a firewall (UFW preferably) but I am not sure which ports to allow to/from the host machine. Are ports 53 and 67 required?

Question 2:
Should I be using proxy devices to forward these ports to the requisite containers? It seems simple but I’ve noticed that each spans a forkproxy process that consumes 1.3% memory on average. Would using IPTables be a better option?

:thinking: I doubt that these ports are required.
I use ufw on my hosts (without specific exceptions for ports 53 and 67) and everything seems to work fine.

LXD uses (afaik) its own dns to manage container networks.

You only need to allow DHCP and DNS inbound to the lxdbr0 interface so your containers can access the dnsmasq process that LXD launches to provide internal DHCP and DNS services. This process only listens on the lxdbr0 interface and is not reachable from other interfaces on the host (even without a firewall). Although systemd-resolve isn’t anything to do with LXD, it should only be listening on the local loopback interface so shouldn’t be reachable from outside the host either, but worth checking.

LXD will add the necessary iptables/nftables rules to achieve this too, so as long as your other firewall rules don’t preempt this, there should be nothing you need to do.

Using a the forkproxy device type is quite acceptable, although as you say, because it spawns a process per device, if you are launching a lot of them this may be an issue. I’m not sure if that level of memory usage is expected, @stgraber or @brauner may have comments on that (although we would need more concrete memory usage data than a percentage to comment as to whether that is considered normal or not).

Irrespective of that, if the memory usage is too high for you, then LXD’s proxy device type also supports a nat=true mode that will automatically configure the necessary iptables/nftables DNAT port forwarding rules rather than use a per-device forkproxy process. So this would avoid the memory needed for that. However because it uses a DNAT port forward, the container will need to have a statically allocated DHCP reservation (using lxc config device override <container> eth0 ipv4.address=n.n.n.n.n so that the proxy device can know where to forward the packets to.

1 Like