I have a webapplication that serves a gui via https to the public internet.
This application runs inside an LXD container (ubuntu 18.04) on an LXD host (ubuntu 20.04). The container has two proxy devices forwarding port 80/443 to 80/443 of the hosts network interface. So as per my understanding only traffic on ports 80/443 are able to reah my application continer.
I want to harden the host VM with ufw and have configured the defaults with the default values I believe
IPV6=yes
DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_APPLICATION_POLICY="SKIP"
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES=""
and allow incoming traffic via ruels for http, https and ssh.
now. My application grabs exchange rates from fixer.io which does not work with uwf enabled on the host any longer. As outgoing should go through the shoul appear with the response.
So ... I either need to
- add an allow rule for the port the fixer.io API uses for responses, or
- have ufw accept responses to requests sent by the server itself
can anybody help me out on either of this?
Due to the container setup where I believe only port 80/443 are able to reach the container to begin with I am a little in doubt whether the port solution is helpful at all. The responses worked fine before I enable ufw on the host, when the container only could be reached via 80/443 and that has not changed.
