@lina hey, I don't think you need to manipulate the nftables directly nor through firewall-cmd, if you use a container daemon, like the default mode in docker, it does that for you automatically. publishPort makes the container port available on the host directly even if the container is in an internal network. Someone can correct me if I missed something.
If I may guess why you're facing problems, I'd say you're running daemonless podman?
Discussion
Replies:
10
It looks like I can use a non-internal network with no default route I guess? But then the containers can access ports on the host so I guess I need to firewall-cmd those off...
And also there's a DNS hole (the podman DNS server will still resolve external DNS names)... I have no idea how to disable that.
OK so apparently setting DNS to 0.0.0.0 means setting the upstream DNS so that works to close off DNS.
And then I can use firewall-cmd to configure container networking policies, except for some reason the firewall zone is hardcoded to "trusted" by podman so I have to use that one...???
And I still need the default route enabled for non-host port publish but then I can just block off outbound in firewalld.
So it works... I just feel like this could've been a lot easier? Not even being able to set the firewalld zone for a container network is super janky...
@lina unfortunately systemd's IPAddressDeny doesn't seem to work with quadlets with a non internal network in my testing, which is a pity. Only other way I've seen without switching the container runtime for restricting egress only is systemd socket activation (also janky) https://www.redhat.com/en/blog/socket-activation-podman
@starchturrets Yeah, no socket activation here...
I'm fine using manual firewall policies if that's what it takes, I just wish the firewalld integration weren't so janky/half-baked (and there really should be a "no upstream DNS" option too, besides the 0.0.0.0 hack).
@lina hey, I don't think you need to manipulate the nftables directly nor through firewall-cmd, if you use a container daemon, like the default mode in docker, it does that for you automatically. publishPort makes the container port available on the host directly even if the container is in an internal network. Someone can correct me if I missed something.
If I may guess why you're facing problems, I'd say you're running daemonless podman?
@linuxgeek28 This is rootful and publishPort does not work with internal networks. That's the whole reason I ended up here. Don't ask me why.
@teohhanhui But that just points to a different DNS server... I do want the podman internal dns stuff to work, I just don't want to forward to the outside world.
@lina Hmm I think you could try using `--network=pasta` on the container directly?
https://docs.podman.io/en/stable/markdown/podman-create.1.html#network-mode-net
@teohhanhui Wait no that does work, if I set it to 0.0.0.0. Huh.
