What is the best way to disable host's firewalld for containers' target IPs, to allow inbound connections?

I set up LXD on almalinux 9 with firewalld enabled. I created an Ubuntu container with a routed networking, and noticed that everything almost works, almost because inbound connections don’t work as long as firewalld is enabled on the host.

I disabled LXD’s firewall as recommended here: https://linuxcontainers.org/lxd/docs/master/howto/network_bridge_firewalld/#disable-lxd-s-firewall-rules and would like to handle everything with host’s firewalld. I’m not very familiar with firewalld, though. Is there a way to accept everything that has a specific target IP, even if this IP is not configured on the host’s interface? Ideal would be to allow everything going into containers, so they could filter it out themselves.

Hi @Luken, May be this link give you some idea.

Thank you. I saw that, but it seems to be instruction for the managed bridge. As far as I know, managed bridge doesn’t offer public IPs, or at least not without more configuration and messing with routing. I wonder if it’s possible to configure something with routed containers, and preferably something, that wouldn’t require keeping in sync configuration between host and guests. I would rather like to avoid hardcoding IPs of containers in host’s firewall rules because then you have to remember to update this config each time a new container is added or removed.

Maybe something could be done after creating a custom bridge? If we could apply different rules to bridged interface than to the actual one, and connect containers with the bridge… I’m just not sure if that would work. I think we really need a canonical answer on this matter – if is it possible, or not, and if we just need to hardcode containers’ ips in the host’s firewall configuration.

You’ll need to allow FORWARDed or routed connections between the host’s external interface and the container’s host-side interface or IP address.

By default routed NICs use a random host-side interface name.
But for adding manual firewall rules that don’t use the container’s IP address, you can specify a container has a static host-side interface name by setting host_name on the NIC’s config.

See https://linuxcontainers.org/lxd/docs/master/reference/devices_nic/#nictype-routed

As for the specific firewalld config, I am not sure as I do not use it.

At least in nftables/iptables you can also use interface prefix for rules, so if you have multiple containers using routed NIC you could specify they have the same host-side interface prefix to simplify applying rules to multiple instances.

However at this point if you have a static host-side interface name, then this question becomes a generic “how do I allow routed traffic between one interface and another” type question and something perhaps the firewalld community could answer directly, as its not specific to LXD.

If you do get something working it would be great to post your findings here for future readers (including myself :)).

@tomp I figured it out in this thread. :slight_smile:

I hope it will be helpful. Although I still have issues with setting up networking with anything that is not an Ubuntu container (even Ubuntu VM doesn’t work with the same config as container, but that’s something for another thread).