Problem with LXD and ufw on a fresh system

Hi. I just installed Kubuntu 21.10, ufw and snap LXD (in that order) on a new laptop, and am having the same trouble as on my old laptop (having Kubuntu 21.04) when ufw is enabled.

I enable/disable ufw through gufw. No rules have been added.

The problem shows when I do lxc list: I see no addresses when the container has been started while ufw was running (and can only enter it through lxc exec mycontainer bash).

|    NAME     |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
| mycontainer | RUNNING |      |      | CONTAINER | 0         |

When I disable ufw and restart the container, I see:

|    NAME     |  STATE  |         IPV4          | IPV6 |   TYPE    | SNAPSHOTS |
| mycontainer | RUNNING | (eth0) |      | CONTAINER | 0         |

Is there a way to use LXD with ufw? Has anyone else encountered these issues between LXD and ufw?

Perhaps a guide should be written to help users who want to use ufw and LXD together, especially as there is no indication that it was ufw that was causing the lack of IP address, and I had no idea what was going on until I discovered it.

Allowing everything on lxdbr0 through ufw somehow solves the problem, but that seems too permissive.

Please help?

Hi karjala,
Could you post the outputs of the following commands?

sudo ufw status verbose
lxc network ls
lxc network show lxdbr0


$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
$ lxc network ls
|  NAME  |   TYPE   | MANAGED |      IPV4       | IPV6 | DESCRIPTION | USED BY |
| lxdbr0 | bridge   | YES     | | none |             | 2       |
| wlo1   | physical | NO      |                 |      |             | 0       |
$ lxc network show lxdbr0
  ipv4.nat: "true"
  ipv6.address: none
description: ""
name: lxdbr0
type: bridge
- /1.0/instances/mycontainer
- /1.0/profiles/default
managed: true
status: Created
- none

Your ufw policy is denying incoming and routed traffic by default. This will prevent dhcp and DNS requests from arriving at lxdbr0 interface and will prevent routed traffic between lxdbr0 and your external network.

See Lxd bridge doesn't work with IPv4 and UFW with nftables - #17 by tomp for a fix.

1 Like

Upps sorry, I didnt catch up on the deny(routed) part.

Aren’t these two rules suggested by the other post too permissive?

sudo ufw allow in on lxdbr0
sudo ufw route allow in on lxdbr0

Doesn’t it mean that the containers will be able to attempt to ssh on the host machine, for example?

What is the minimum number of ports I need to allow on the host, for LXD to work?

Thank you,

Hi karjala,
As @tomp mentioned that, I suppose 2 UDP ports: 67 and 68 for DHCP and TCP/UDP 53 for DNS is enough for minimum number of ports and ssh/22 typically.

1 Like

By adding these two ufw rules listed here:

ufw allow in on lxdbr0 to port 53
ufw allow in on lxdbr0 proto udp to port 67:68

…it worked. Thanks.

If you run:

sudo apt install nftables
sudo nft list table inet lxd

You will see the rules that LXD adds to its own lxd nftables table, which normally would take effect if there wasn’t another nftables table with a default drop rule.

You can then replicate those into your ufw ruleset.