How to Configure UFW for Incus on Debian 12

If you’re running Incus (LXC containers) on Debian 12 with UFW (Uncomplicated Firewall), you may encounter networking issues with your containers. This guide will walk you through the process of configuring UFW to work seamlessly with Incus while also securing your host server.

The Problem

When UFW is set to drop all unknown traffic, it can prevent proper network communication for Incus containers. This results in containers being unable to obtain IP addresses via DHCP or resolve DNS names.

The Solution

We need to add specific UFW rules to allow traffic through the Incus bridge while maintaining security on the host server.

Step-by-Step Guide

1. Allow Traffic on the Incus Bridge

First, we need to add rules for the Incus bridge. Replace incusbr0 with your actual bridge name if different:

sudo ufw allow in on incusbr0 comment 'incusbr0 for Incus'
sudo ufw route allow in on incusbr0 comment 'incusbr0 for Incus'
sudo ufw route allow out on incusbr0 comment 'incusbr0 for Incus'

These rules allow incoming traffic and routed traffic (both incoming and outgoing) on the Incus bridge interface.

2. Secure the Host Server

Now, let’s configure UFW to secure the host server while allowing necessary traffic:

# Set the default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH on the alternative port (4422)
sudo ufw allow 4422/tcp comment 'Allow SSH on port 4422'

# Enable UFW
sudo ufw enable

These rules will:

  • Deny all incoming traffic by default
  • Allow all outgoing traffic by default
  • Allow incoming SSH connections on port 4422

3. Verify the Configuration

To check your UFW configuration, use:

sudo ufw status verbose

This will display all active rules and their status.

Additional Considerations

  1. SSH Configuration: Remember to configure your SSH daemon to listen on port 4422. Edit /etc/ssh/sshd_config and set Port 4422, then restart the SSH service.
  2. Persistence: These UFW rules will persist across reboots.
  3. Container Networking: After applying these rules, your Incus containers should be able to obtain IP addresses and have proper network connectivity.
  4. Troubleshooting: If you still encounter issues, try restarting the UFW service (sudo systemctl restart ufw) or your Incus containers.

Conclusion

By following this guide, you’ve successfully configured UFW to work with Incus on Debian 12 while maintaining a secure host environment. Your Incus containers should now have proper network functionality, and your server is protected with only necessary ports open.

Remember to always test your configuration thoroughly and adjust as needed for your specific use case. If you encounter any issues or need further customization, consult the UFW and Incus documentation or seek assistance from the community forums.