I asked about this topic at the IRC (June 7-8, 2020) and @fred1m proposed me to move it to the forum. So here it is!
Context
I’m running freedombox in an A20 olimex board, and I’m happy with it. However, I would like to install an extra webapp out of control of plinth, to take more profit of the board and the hardened setup that FB provides.
My way to go is to create an unprivileged linux container inside the freedombox OS, and then, inside that lxc, install the webapp with its database and everything. I will manage the TLS certificate at an external reverse proxy, out of FB control, and will connect internally without encryption.
Steps I tried to follow
- Create new user for everything related to this app, probably only its lxc
- Create an unprivileged lxc owned by this user
- Create a network with libvirt tools, that includes a dhcp server, a virtual bridge, and a veth that connects the bridge to the container’s namespace.
- Configure the firewall to allow incoming connections to certain ports
- Upgrade guest system, install app, etc.
Getting into details of the firewall setup:
- Create a new zone
some-lxc-app
- Add services to the zone (open some tcp and udp ports)
- Associate the virbr0 interface to it
Problem Description
When trying again today, I’ve had some issues with 3, setting up the network. So if you have some hints on libvirt’s nets or how to do it with lxc-net, I’m listening
My biggest problem though, is that when I’ve had the network working, that is, I can ping external servers from within the lxc, I don’t happen to be able to make or receive TCP or UDP connections.
Added firewall setup
$ sudo firewall-cmd --info-zone some-lxc-app
some-lxc-app (active)
target: default
icmp-block-inversion: no
interfaces: virbr0
sources:
services: dns http ssh whois
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Steps to Reproduce
With the setup described above, when trying to upgrade the guest system, I would be able to do so. Right now, the guest isn’t able to establish a new TCP connection even outwards.
Expected Results
I want to be able to establish outwards HTTP, HTTPS, SSH and Whois connections, and perform successful DNS queries. I want also to be able to receive inwards HTTP connections.
Information
- FreedomBox version: 20.11 (up to date)
- Hardware: A20-OLinuXino-LIME2
- How did you install FreedomBox?: bought pre-installed
What I ask for
- Advices about long-term lxc and virt networks
- Guiding or ideas to troubleshoot the firewall problem.