Noob: firewalld and containers

Edit: added some more details.
I am new to LXD and don’t understand much about networking and firewalld.

My setup is the following:

  • The LXD host (which itself is a libvirt domain but hopefully it does not matter) runs a headless debian 11 with LXD 5.12 installed via snapd. No docker installed. A single interface.
  • In /etc/network/interfaces, I defined an unmanaged bridge br0 which get its IP with DHCP:
iface enp1s0 inet manual
auto br0
iface br0 inet dhcp
       bridge_ports enp1s0
  • I run firewalld with the default settings so it uses the ‘public’ zone as default.
  • I create containers with their NIC on that bridge:
    name: eth0
    nictype: bridge 
    parent: br0
    type: nic

Everything runs quite happily and my containers get their IP from DHCP and appear on the LAN and I can access services running on them. But if I add restrictions in the host’s firewalld public zone (default), that affects the LXD host but not the containers.

What is the right way to restrict or protect the network access of a containers from outside of the containers? I guess I am looking for something a bit like the nwfilters of libvirt which are defined outside the domains.

Without details and ways to reproduce your scenario it’s hard to say what’s what.
So as a rule of thumb take a quick look at this page to make sure you’re not facing a pitfall.

OVN might be what you’re after

Thanks. I did look at the firewall info for LXD page.
OVN looks hairy but I will look more in detail. may give you some pointers.