Security: Firewall on LXD host only with a bridge network

Let’s say we have a simple architecture: one host with multiple containers using a bridge network. Only the host has a public IP and it routes traffic using port forwarding.

Also, the host has a firewall that only allows access to configured ports.

Is this configuration secure enough?
Should we add firewalls on containers too?

If I assume that attacks will not come from an hosted container, I don’t see the point of adding firewalls at containers level since they are unreachable from outside (except forwarded ports)

If you trust your container work loads then you probably don’t need to restrict traffic between containers.

One thing to keep in mind though is that if you are exposing specific services running in containers to the outside world (via port forwarding) and those services become compromised, then they may be used to compromise the instance by using outbound connectivity to establish a reverse control session or download a malicious payload.

So you may consider restricting outbound traffic from the bridge on the LXD host to only hosts/ports you know are genuine.

1 Like