doc/networking/firewall: add more restrictive UFW rules

Add an example for more restrictive firewall rules. Closes canonical#11824 Signed-off-by: Ruth Fuchss <ruth.fuchss@canonical.com>
ru-fu · Sep 18, 2023 · 948abb7 · 948abb7
1 parent 8185f8a
commit 948abb7
Showing 1 changed file with 18 additions and 4 deletions.
diff --git a/doc/howto/network_bridge_firewalld.md b/doc/howto/network_bridge_firewalld.md
@@ -67,14 +67,12 @@ For example:
     sudo firewall-cmd --zone=trusted --change-interface=lxdbr0 --permanent
     sudo firewall-cmd --reload
 
-<!-- Include start warning -->
-
 ```{warning}
+<!-- Include start warning -->
 The commands given above show a simple example configuration.
 Depending on your use case, you might need more advanced rules and the example configuration might inadvertently introduce a security risk.
-```
-
 <!-- Include end warning -->
+```
 
 ### UFW: Add rules for the bridge
 
@@ -93,12 +91,28 @@ For example:
     sudo ufw route allow in on lxdbr0
     sudo ufw route allow out on lxdbr0
 
+````{warning}
 % Repeat warning from above
 ```{include} network_bridge_firewalld.md
     :start-after: <!-- Include start warning -->
     :end-before: <!-- Include end warning -->
 ```
 
+Here's an example for more restrictive firewall rules that limit access from the guests to the host to only DHCP and DNS and allow all outbound connections from IPv4 hosts:
+
+```
+# allow the guest to get an IP from the LXD host
+sudo ufw allow in on lxdbr0 to any port 67 proto udp
+
+# allow the guest to resolve host names from the LXD host
+sudo ufw allow in on lxdbr0 to any port 53
+
+# allow the guest to have access to outbound connections
+# determine <IPv4> with: lxc network list | grep lxdbr0
+sudo ufw route allow in on lxdbr0 from <IPv4>
+```
+````
+
 (network-lxd-docker)=
 ## Prevent connectivity issues with LXD and Docker