How to configure UFW rules for podman
from someacnt@sh.itjust.works to selfhosted@lemmy.world on 29 Mar 09:07
https://sh.itjust.works/post/35217178

Note: I am using VPS for services, since I do not want to expose my home network to internet. I am using podman, . But firewall (using UFW frontend) seems to block all the routing and inter-container traffic, so I want to Currently I have UFW rules set as blanket open for all podman networks, like this:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
222/tcp                    ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
Anywhere on podman1        ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
8080/tcp                   ALLOW       Anywhere                  
Anywhere on podman0        ALLOW       Anywhere                  
Anywhere on podman2        ALLOW       Anywhere                  
Anywhere on podman3        ALLOW       Anywhere                  
Anywhere on podman4        ALLOW       Anywhere                  
Anywhere on podman5        ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
222/tcp (v6)               ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
Anywhere (v6) on podman1   ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)             
8080/tcp (v6)              ALLOW       Anywhere (v6)             
Anywhere (v6) on podman0   ALLOW       Anywhere (v6)             
Anywhere (v6) on podman2   ALLOW       Anywhere (v6)             
Anywhere (v6) on podman3   ALLOW       Anywhere (v6)             
Anywhere (v6) on podman4   ALLOW       Anywhere (v6)             
Anywhere (v6) on podman5   ALLOW       Anywhere (v6)             

Anywhere on podman1        ALLOW FWD   Anywhere on ens3          
Anywhere on podman0        ALLOW FWD   Anywhere on ens3          
Anywhere on podman2        ALLOW FWD   Anywhere on ens3          
Anywhere on podman3        ALLOW FWD   Anywhere on ens3          
Anywhere on podman4        ALLOW FWD   Anywhere on ens3          
Anywhere on podman5        ALLOW FWD   Anywhere on ens3          
Anywhere (v6) on podman1   ALLOW FWD   Anywhere (v6) on ens3     
Anywhere (v6) on podman0   ALLOW FWD   Anywhere (v6) on ens3     
Anywhere (v6) on podman2   ALLOW FWD   Anywhere (v6) on ens3     
Anywhere (v6) on podman3   ALLOW FWD   Anywhere (v6) on ens3     
Anywhere (v6) on podman4   ALLOW FWD   Anywhere (v6) on ens3     
Anywhere (v6) on podman5   ALLOW FWD   Anywhere (v6) on ens3 

This neither seems secure, nor extensible when I add another network. Is there some ‘best practices’ for firewall setup with podman networks? How do you gurus set up your firewall for containers? Thanks in advance!

EDIT: Sorry for missing an important detail, I am running rootful podman with (userns=auto).

#selfhosted

threaded - newest

elvith@feddit.org on 29 Mar 10:18 next collapse

I’m currently experimenting if I can convert my stack to rootless podman.

I found in my notes, that

A user-mode networking tool for unprivileged network namespaces must be installed on the machine in order for Podman to run in a rootless environment.

Podman supports two rootless networking tools: pasta (provided by passt) and slirp4netns.

Could this be your problem?

Taken from github.com/containers/…/rootless_tutorial.md

someacnt@sh.itjust.works on 29 Mar 11:00 collapse

Thanks, I am running rootful containers so I don’t think this applies.

Grimm665@lemm.ee on 29 Mar 13:07 next collapse

If you really want to stick to UFW, you can ignore me, but this looks like a situation where finding another firewall may be best. UFW is a front end for IPtables and is mostly meant for desktop or simple server app usage. I’d recommend Shorewall, which is also a front end for IPtables but implements a zone based firewall and allows for more complex setups to be handled easier than with UFW. You can put your podman containers into a zone and define all of the network access you need for that zone separate from the host system.

someacnt@sh.itjust.works on 29 Mar 14:01 collapse

Thanks, though Shorewall looks intimidating. Do you have any good resources to go over how to set it up?

Grimm665@lemm.ee on 29 Mar 14:24 collapse

For so many Linux server packages I find the manual to be more of a reference than a guide, so not very useful if you’re just getting started and aren’t sure what to do, but Shorewall is an exception, its manual is wonderful and Tom the creator really goes into detail about how to fit it into many different setups.

shorewall.org/GettingStarted.html

You’ll probably want to follow the two interface guide, the two interfaces in your case are your public IP interface, and the virtual interface connected to the Podman network side. You’ll essentially treat shorewall as a firewall/router for your Podman containers which will act as your “LAN” in this case. The warning about not installing Shorewall on a remote system is not to be ignored, you’re generally fine to install the package, but do not start the shorewall service without first setting up some rules to allow SSH. The safest way is to log in via your VPS console instead of SSH to keep you from getting locked out. Most VPS providers have some sort of out-of-band connection utility like VNC or a simple console access you’ll want to use.

Shimitar@downonthestreet.eu on 29 Mar 14:03 collapse

Podman works with nft, not iptables. Ufw iirc uses iptables (iptables can work as a subset of nft, so there is that too).

Try a different firewall tool, or use nft directly

If your containers are bound to 127.0.0.1 and you only have a reverse proxy on 443, you probably don’t even really need a firewall.

Run rootless podman and segregate each container stack on its own network, podman will take care of it for you.