Note: I am using VPS for services, since I do not want to expose my home network to internet. I am using podman, . But firewall (using UFW frontend) seems to block all the routing and inter-container traffic, so I want to Currently I have UFW rules set as blanket open for all podman networks, like this:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
222/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
Anywhere on podman1 ALLOW Anywhere
443/tcp ALLOW Anywhere
8080/tcp ALLOW Anywhere
Anywhere on podman0 ALLOW Anywhere
Anywhere on podman2 ALLOW Anywhere
Anywhere on podman3 ALLOW Anywhere
Anywhere on podman4 ALLOW Anywhere
Anywhere on podman5 ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
222/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
Anywhere (v6) on podman1 ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
8080/tcp (v6) ALLOW Anywhere (v6)
Anywhere (v6) on podman0 ALLOW Anywhere (v6)
Anywhere (v6) on podman2 ALLOW Anywhere (v6)
Anywhere (v6) on podman3 ALLOW Anywhere (v6)
Anywhere (v6) on podman4 ALLOW Anywhere (v6)
Anywhere (v6) on podman5 ALLOW Anywhere (v6)
Anywhere on podman1 ALLOW FWD Anywhere on ens3
Anywhere on podman0 ALLOW FWD Anywhere on ens3
Anywhere on podman2 ALLOW FWD Anywhere on ens3
Anywhere on podman3 ALLOW FWD Anywhere on ens3
Anywhere on podman4 ALLOW FWD Anywhere on ens3
Anywhere on podman5 ALLOW FWD Anywhere on ens3
Anywhere (v6) on podman1 ALLOW FWD Anywhere (v6) on ens3
Anywhere (v6) on podman0 ALLOW FWD Anywhere (v6) on ens3
Anywhere (v6) on podman2 ALLOW FWD Anywhere (v6) on ens3
Anywhere (v6) on podman3 ALLOW FWD Anywhere (v6) on ens3
Anywhere (v6) on podman4 ALLOW FWD Anywhere (v6) on ens3
Anywhere (v6) on podman5 ALLOW FWD Anywhere (v6) on ens3
This neither seems secure, nor extensible when I add another network. Is there some ‘best practices’ for firewall setup with podman networks? How do you gurus set up your firewall for containers? Thanks in advance!
EDIT: Sorry for missing an important detail, I am running rootful podman with (userns=auto).
I’m currently experimenting if I can convert my stack to rootless podman.
I found in my notes, that
Could this be your problem?
Taken from https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
Thanks, I am running rootful containers so I don’t think this applies.