LXC proxmox 4.3 firewall does not work

[dragon2611]

It appears the firewall may not work correctly for outgoing traffic if DHCP is used.

Set the default egress policy to reject, allow DHCP (UDP 66,67,68) and allow local subnet only.
firewall enabled on NIC and in firewall options.

Start container and container has no eth0/ip,

dhclient eth0 in container, container gets IP

Container is able to access internet, yet it shouldn't be as only local subnet was allowed on firewall and default action was set to reject.

 

[wolfgang]

Here it work.
Here the config of the fw

[OPTIONS]

enable: 1
policy_out: REJECT

[RULES]

IN ACCEPT -dest 192.168.160.0/20 -p udp -dport 66,67,68

do you enable the fw on the vnet of the container?

 

[dragon2611]

Yes, I was able to wget google and ping although outbound access was set to reject and I had no rules for ICMP/HTTP the only outbound rule i'd set was the destination subnet for the LAN the container was sitting in.

Also odd that the debian8 template wasn't activating the NIC, might re-download the template incase I've gotten a duff one

 

[dragon2611]

It might have been me being stupid, just noticed that particular server the frewall is set to Off at the datacentre/top level so even though it's set to on the node I'm not sure it's actually on (That machine is behind another firewall and a standalone machine)