hey. i not really understand network acls in lxc.
from a typical firewall… like pfsense i setup like this:
allow XXXXX port X
allow CCCCC port C
drop internal_ips
allow all_other
that means i have internet. i block all internal ips and i allow specific hosts/ports.
how to do that with network acls?
i try:
lxc network acl create dmz1
by default everything is blocked.
allow 10.0.0.2 port 636
blocking 10.0.0.0/24 my internal network
allow 0.0.0.0/0 for internet.
i can not create any order/sort
i also try with 2 acls like
security.acls: drop-internal,allow-internet or security.acls: allow-internet,drop-internal
i can not reach 10.0.0.2 because its inside 10.0.0.0/24
thats why i have very strange rules.
security.acls: drop-internal
security.acls.default.egress.action: allow
security.acls.default.ingress.action: allow
name: drop-internal
description: Alles was nicht geblockt ist wird erlaubt
egress:
- action: drop
destination: 192.168.0.0-192.168.0.255
state: enabled
- action: drop
destination: 10.0.0.0-10.0.0.1,10.0.0.4-10.0.0.255
state: enabled
- action: drop
destination: 10.0.0.2
protocol: udp
destination_port: 0-52,54-65535
state: enabled
- action: drop
destination: 10.0.0.2
protocol: tcp
destination_port: 0-52,54-79,81-635,637-65535
state: enabled
- action: drop
destination: 10.0.0.3
protocol: udp
destination_port: 0-65535
state: enabled
- action: drop
destination: 10.0.0.3
protocol: tcp
destination_port: 0-3388,3390-65535
state: enabled
ingress: []
config: {}
used_by:
- /1.0/networks/dmz
Internet is allowed because of the default allow.
10.0.0.2 is allowed on 53 udp/tcp, 80 tcp, 636 tcp
10.0.0.3 is allowed on 3389 tcp
10.0.0.0/24 is blocked
192.168.0.0/24 is blocked
why this??? because in example port 80. i have to block from 0 until 79 + 81 until 65535.
and i think this is very strange and complicated and i think i am doing this wrong
how to do that correct?
i want to allow 10.0.0.2:636:tcp while i same time drop 10.0.0.0/24