LXC Containers & UFW firewall on the LXD host

I am running an ERPNext instance inside an LXD Container. To access the webinterface I have two proxy devices connecting ports 80/443 of the container to the hosts port 80/443.

The application fetches currency exchange rates from fixer.io. I don’t know how this works exactly, maybe via curl.

Now thing happens when I activate the ufw firewall (which has allow rules for 80, 443 & 22) which I have trouble understanding logically. I can still access the webinterface, but can not get the conversion rates any longer.

Why do I have problems with the logic? As mentioned I am only forwarding 80/443 to the container. This does not change with an enabled/disabled firewall of the host. So I would expect that only traffic via 80/443 has been able to reach the container anyways and if any other port was required by the application inside the container it should have failed before also.

Can anybody explain what is happening here?

Most likely ufw is preventing outbound FORWARDed packets coming from LXD’s containers going via the lxdbr0 bridge and out onto the external network.

See Lxd bridge doesn't work with IPv4 and UFW with nftables for a possible solution.

that does work. However I am not all clear about what it does and whether it is a solution or just a workaround. My ufw experience is yet quite limited.

I guess it is better then disabling ufw on the host completely though.

It allows inbound packets from lxdbr0 to your host, and it allows outbound packets from lxdbr0 to traverse through your host to other networks. LXD adds similar rules to allow managed bridge operation, but in this case UFW is interfering with them.