Note: I am using VPS for services, since I do not want to expose my home network to internet. I am using podman, . But firewall (using UFW frontend) seems to block all the routing and inter-container traffic, so I want to Currently I have UFW rules set as blanket open for all podman networks, like this:
Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 222/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere Anywhere on podman1 ALLOW Anywhere 443/tcp ALLOW Anywhere 8080/tcp ALLOW Anywhere Anywhere on podman0 ALLOW Anywhere Anywhere on podman2 ALLOW Anywhere Anywhere on podman3 ALLOW Anywhere Anywhere on podman4 ALLOW Anywhere Anywhere on podman5 ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 222/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) Anywhere (v6) on podman1 ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 8080/tcp (v6) ALLOW Anywhere (v6) Anywhere (v6) on podman0 ALLOW Anywhere (v6) Anywhere (v6) on podman2 ALLOW Anywhere (v6) Anywhere (v6) on podman3 ALLOW Anywhere (v6) Anywhere (v6) on podman4 ALLOW Anywhere (v6) Anywhere (v6) on podman5 ALLOW Anywhere (v6) Anywhere on podman1 ALLOW FWD Anywhere on ens3 Anywhere on podman0 ALLOW FWD Anywhere on ens3 Anywhere on podman2 ALLOW FWD Anywhere on ens3 Anywhere on podman3 ALLOW FWD Anywhere on ens3 Anywhere on podman4 ALLOW FWD Anywhere on ens3 Anywhere on podman5 ALLOW FWD Anywhere on ens3 Anywhere (v6) on podman1 ALLOW FWD Anywhere (v6) on ens3 Anywhere (v6) on podman0 ALLOW FWD Anywhere (v6) on ens3 Anywhere (v6) on podman2 ALLOW FWD Anywhere (v6) on ens3 Anywhere (v6) on podman3 ALLOW FWD Anywhere (v6) on ens3 Anywhere (v6) on podman4 ALLOW FWD Anywhere (v6) on ens3 Anywhere (v6) on podman5 ALLOW FWD Anywhere (v6) on ens3
This neither seems secure, nor extensible when I add another network. Is there some ‘best practices’ for firewall setup with podman networks? How do you gurus set up your firewall for containers? Thanks in advance!
Shimitar@downonthestreet.eu 4 weeks ago
Podman works with nft, not iptables. Ufw iirc uses iptables.
Try a different firewall tool, or use nft directly
If your containers are bound to 127.0.0.1 and you only have a reverse proxy on 443, you probably don’t even really need a firewall.
Run rootless podman and segregate each container stack on its own network, podman will take care of it for you.