Was having firewall issues with a new install of Ubuntu 22.04, believe I may have it sorted out but wanted to run it by the community here to make sure what I did was the proper solution.
With a fresh install of Ubuntu 22.04 LTS, using HAProxy in a container, ports 80 & 443 proxied to the HAProxy contaner using LXC proxy devices & HAProxy directing all web traffic to a default LXC container.
As per directions in the docs at Linux Containers - LXD - Has been moved to Canonical I disabled LXD’s firewall rules and added rules for the bridge on the host:
lxc network set lxdbr0 ipv6.firewall false
lxc network set lxdbr0 ipv4.firewall false
and
sudo ufw allow in on lxdbr0
sudo ufw route allow in on lxdbr0
Then with UFW enabled on the host and disabled on the HAProxy & webserver containers…
My containers did not get IPs. Still no IPs even after rebooting… no external web access (from outside into port 80: haproxy container > webserver container. ).
After a bit of research I ended up trying the following:
sudo ufw allow out on lxdbr0
sudo ufw route allow out on lxdbr0
That resulted in the containers getting IPs from LXC and enabled web access through the HAProxy container & forwarded into the default webserver container. All looked good after that.
So my question: Was adding the ‘allow out’ and ‘route allow out’ UFW rules to the bridge the proper way to resolve the issue of inaccessible default websites and the containers not getting IPs from LXD?
Since the LXD firewall page in the docs at Linux Containers - LXD - Has been moved to Canonical did not mention adding the ‘out’ rules for the bridge, it makes me wonder if maybe there was something else that I missed, maybe this was not the proper way to resolve the issue, etc.
Thanks in advance for any advice & input.