All CTs/VMs have static IPs (via override) and I have several port fwds working (they are all
nat=true due to my use cases).
lxc network show lxdbr0 config: ipv4.address: x.x.x.x/24 ipv4.firewall: "true" ipv4.nat: "true" ipv6.address: none
UFW is using the default setup: deny (incoming), allow (outgoing), deny (routed). LXD is using the standard
lxdbr0. This is Ubuntu Focal, and nftables has never been/is not installed.
If I remove a rule from UFW (remove an explicit ALLOW, so it should DENY) to my surprise I can still reach the listener inside each CT/VM. For listeners on the host, UFW is respected.
What is going on?