How to configure UFW rules for podman
from someacnt@sh.itjust.works to selfhosted@lemmy.world on 29 Mar 09:07
https://sh.itjust.works/post/35217178
from someacnt@sh.itjust.works to selfhosted@lemmy.world on 29 Mar 09:07
https://sh.itjust.works/post/35217178
Note: I am using VPS for services, since I do not want to expose my home network to internet. I am using podman, . But firewall (using UFW frontend) seems to block all the routing and inter-container traffic, so I want to Currently I have UFW rules set as blanket open for all podman networks, like this:
Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 222/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere Anywhere on podman1 ALLOW Anywhere 443/tcp ALLOW Anywhere 8080/tcp ALLOW Anywhere Anywhere on podman0 ALLOW Anywhere Anywhere on podman2 ALLOW Anywhere Anywhere on podman3 ALLOW Anywhere Anywhere on podman4 ALLOW Anywhere Anywhere on podman5 ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 222/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) Anywhere (v6) on podman1 ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 8080/tcp (v6) ALLOW Anywhere (v6) Anywhere (v6) on podman0 ALLOW Anywhere (v6) Anywhere (v6) on podman2 ALLOW Anywhere (v6) Anywhere (v6) on podman3 ALLOW Anywhere (v6) Anywhere (v6) on podman4 ALLOW Anywhere (v6) Anywhere (v6) on podman5 ALLOW Anywhere (v6) Anywhere on podman1 ALLOW FWD Anywhere on ens3 Anywhere on podman0 ALLOW FWD Anywhere on ens3 Anywhere on podman2 ALLOW FWD Anywhere on ens3 Anywhere on podman3 ALLOW FWD Anywhere on ens3 Anywhere on podman4 ALLOW FWD Anywhere on ens3 Anywhere on podman5 ALLOW FWD Anywhere on ens3 Anywhere (v6) on podman1 ALLOW FWD Anywhere (v6) on ens3 Anywhere (v6) on podman0 ALLOW FWD Anywhere (v6) on ens3 Anywhere (v6) on podman2 ALLOW FWD Anywhere (v6) on ens3 Anywhere (v6) on podman3 ALLOW FWD Anywhere (v6) on ens3 Anywhere (v6) on podman4 ALLOW FWD Anywhere (v6) on ens3 Anywhere (v6) on podman5 ALLOW FWD Anywhere (v6) on ens3
This neither seems secure, nor extensible when I add another network. Is there some ‘best practices’ for firewall setup with podman networks? How do you gurus set up your firewall for containers? Thanks in advance!
EDIT: Sorry for missing an important detail, I am running rootful podman with (userns=auto
).
threaded - newest
I’m currently experimenting if I can convert my stack to rootless podman.
I found in my notes, that
Could this be your problem?
Taken from github.com/containers/…/rootless_tutorial.md
Thanks, I am running rootful containers so I don’t think this applies.
If you really want to stick to UFW, you can ignore me, but this looks like a situation where finding another firewall may be best. UFW is a front end for IPtables and is mostly meant for desktop or simple server app usage. I’d recommend Shorewall, which is also a front end for IPtables but implements a zone based firewall and allows for more complex setups to be handled easier than with UFW. You can put your podman containers into a zone and define all of the network access you need for that zone separate from the host system.
Thanks, though Shorewall looks intimidating. Do you have any good resources to go over how to set it up?
For so many Linux server packages I find the manual to be more of a reference than a guide, so not very useful if you’re just getting started and aren’t sure what to do, but Shorewall is an exception, its manual is wonderful and Tom the creator really goes into detail about how to fit it into many different setups.
shorewall.org/GettingStarted.html
You’ll probably want to follow the two interface guide, the two interfaces in your case are your public IP interface, and the virtual interface connected to the Podman network side. You’ll essentially treat shorewall as a firewall/router for your Podman containers which will act as your “LAN” in this case. The warning about not installing Shorewall on a remote system is not to be ignored, you’re generally fine to install the package, but do not start the shorewall service without first setting up some rules to allow SSH. The safest way is to log in via your VPS console instead of SSH to keep you from getting locked out. Most VPS providers have some sort of out-of-band connection utility like VNC or a simple console access you’ll want to use.
Podman works with nft, not iptables. Ufw iirc uses iptables (iptables can work as a subset of nft, so there is that too).
Try a different firewall tool, or use nft directly
If your containers are bound to 127.0.0.1 and you only have a reverse proxy on 443, you probably don’t even really need a firewall.
Run rootless podman and segregate each container stack on its own network, podman will take care of it for you.