[pkg-lxc-devel] Bug#1095889: lxc: Poor default policy in firewall rules for lxc chain

Henrik Christian Grove debian at 3001.dk
Thu Feb 13 10:38:29 GMT 2025 

Package: lxc
Version: 1:6.0.3-1
Severity: minor
X-Debbugs-Cc: debian at 3001.dk

The /usr/libexec/lxc/lxc-net script adds some default firewall rules.
But those don't specify a policy for the input chain so it gets an
accept policy by default. That's not good.

It also makes it a bit pointless that rules are then added that accepts
DNS and DHCP traffic.

The default configuration is to use RFC-1918 addresses for lxc guests
and that makes it hard for traffic from the outside (I assume we can
restrict ourselves to protect against that), but it's hard to be sure,
and I guess it's also possible to configure the networking so LXC guests
are more directly connected to the outside while still relying on that
chain.


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-29-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lxc depends on:
ii  debconf [debconf-2.0]        1.5.89
ii  dnsmasq-base [dnsmasq-base]  2.91~test9-1
ii  iproute2                     6.13.0-1
ii  libapparmor1                 3.1.7-2
ii  libc6                        2.40-6
ii  libcap2                      1:2.66-5+b1
ii  libdbus-1-3                  1.16.0-1
ii  libgcc-s1                    14.2.0-17
ii  liblxc-common                1:6.0.3-1
ii  liblxc1t64                   1:6.0.3-1
ii  libseccomp2                  2.5.5-2
ii  libselinux1                  3.8-3
ii  nftables                     1.1.1-1

Versions of packages lxc recommends:
ii  apparmor       3.1.7-2
ii  debootstrap    1.0.140
ii  dirmngr        2.2.46-1+b1
ii  distrobuilder  3.1-1+b2
ii  gnupg          2.2.46-1
ii  libpam-cgfs    1:6.0.3-1
ii  lxcfs          6.0.3-1
ii  openssl        3.4.1-1
ii  rsync          3.3.0+ds1-4
ii  uidmap         1:4.16.0-7
ii  wget           1.24.5-2+b1

Versions of packages lxc suggests:
ii  btrfs-progs    6.12-1+b1
pn  criu           <none>
pn  lvm2           <none>
pn  lxc-templates  <none>
pn  python3-lxc    <none>

-- debconf information:
  lxc/auto_update_config:

More information about the Pkg-lxc-devel mailing list