Edit: added some more details.
Hi,
I am new to LXD and don’t understand much about networking and firewalld.
My setup is the following:
- The LXD host (which itself is a libvirt domain but hopefully it does not matter) runs a headless debian 11 with LXD 5.12 installed via snapd. No docker installed. A single interface.
- In /etc/network/interfaces, I defined an unmanaged bridge br0 which get its IP with DHCP:
iface enp1s0 inet manual
auto br0
iface br0 inet dhcp
bridge_ports enp1s0
- I run firewalld with the default settings so it uses the ‘public’ zone as default.
- I create containers with their NIC on that bridge:
devices:
eth0:
name: eth0
nictype: bridge
parent: br0
type: nic
Everything runs quite happily and my containers get their IP from DHCP and appear on the LAN and I can access services running on them. But if I add restrictions in the host’s firewalld public zone (default), that affects the LXD host but not the containers.
What is the right way to restrict or protect the network access of a containers from outside of the containers? I guess I am looking for something a bit like the nwfilters of libvirt which are defined outside the domains.