How to create ACL between bridges? (only ingress)

slip · November 9, 2025, 2:17pm

I want to allow specific bridges to talk with each other and so I created ACL to allow ingress from the bridge’s subnet but I am still unable to configure that.

For example, I have firewallbr0 with range 10.10.10.1/24 and I have two other bridges internalbr0 on 10.10.60.1/24 and authbr0 on 10.10.50.1/24. I want inter-communication of firewallbr0 with internalbr0 and authbr0 but I want to not allow any communication between internalbr0 and authbr0.

So I created 3 ACL, firewall, internal, public.

[arch@server ~]$ sudo incus network acl show firewall
name: firewall
description: ""
egress:
- action: allow
  state: enabled
ingress:
- action: allow
  source: 10.10.50.1/24
  state: enabled
- action: allow
  source: 10.10.40.1/24
  state: enabled
- action: reject
  state: enabled
config: {}
used_by:
- /1.0/networks/firewallbr0
project: default

[arch@server ~]$ sudo incus network acl show internal
name: internal
description: ""
egress:
- action: allow
  state: enabled
ingress:
- action: allow
  source: 10.10.10.1/24
  state: enabled
- action: reject
  state: enabled
config: {}
used_by:
- /1.0/networks/internal0
project: default

[arch@server ~]$ sudo incus network acl show auth
name: auth
description: ""
egress:
- action: allow
  state: enabled
ingress:
- action: allow
  source: 10.10.10.1/24
  state: enabled
- action: reject
  state: enabled
config: {}
used_by:
- /1.0/networks/authbr0
project: default

When I attach ACL, create instance, I am unable to even reach from firewallbr0 to internalbr0 or authbr0.

slip · November 10, 2025, 2:14pm

anyone help please? i just want to setup ACL rules b/w bridges and allow/disallow ingress b/w each other specifically

slip · November 10, 2025, 2:16pm

@stgraber

stgraber · November 10, 2025, 2:18pm

You want to use .0/24 not .1/24 and don’t put the reject rule at the end.

The way ACLs work is that any configured ACL always end with the default action (reject). Reject and drop rules take precedence over allow, so your config would block everything.

slip · November 10, 2025, 2:28pm

thanks a lot!! I removed the reject rule and it responds. i also want to allow host to communicate with the bridge and i added the host’s public IP to allow ingress (it’s a dedicated server with single public IP) but it’s not pinging. what should i do?

slip · November 11, 2025, 7:35am

@stgraber sorry for pinging, do you know >.<

stgraber · November 11, 2025, 1:40pm

The host connections will almost certainly come from the IP address it has on the bridge (.1) rather than the public IP address it has on another inferface.

slip · November 11, 2025, 1:54pm

ping 10.10.30.175
PING 10.10.30.175 (10.10.30.175) 56(84) bytes of data.
From 10.10.30.1 icmp_seq=1 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 10.10.30.1 icmp_seq=2 Destination Port Unreachable
ping: sendmsg: Operation not permitted

i get reject from host, shouldn’t it be allowed if it’s from .1 of it’s own range?

slip · November 11, 2025, 1:57pm

after adding it’s own range to allow ingress, it responds now from host