I had to restore my homelab and took the opportunity to move from docker to rootless podman quadlets. Well almost full rootless, I kept pi-hole and caddy at the root level because I did not want to deal with sysctl.
I have everything running but for now I have to disable my firewall. With docker I was using this script: https://github.com/chaifeng/ufw-docker But I’m having a hard time finding an alternative for podman.
Do you know how any scripts that would magically fix podman and ufw? Would it be a better solution for me to manage iptables manually?
My needs are pretty simple as I do not really care if the ports are visible on my private network, I just want to allow specific IPs on port 80 and 443.
Edit: the issue I’m facing is that I’m allowing some specific IPs to access my network, but when I enable ufw the traffic is blocked. I had the same rules using docker and everything was working fine. I can notice that sometimes the traffic goes through and other time it is blocked. Much like with docker when you don’t use the script and the traffic will be blocked or not depending on what wrote the iptables rules last.
Edit2: So actually the issue was with some routing. Running this command fixes everything: ufw route allow in on wlan0 out on cni-podman0
Does Podman actually open the ports like Docker do? I was of the impression it did not. But it’s entirely possible that I might be wrong.
I would be disappointed if it did. I’m moving to Podman as well just because of the firewall issue in Docker.
Edit: After some searching I’m convinced Podman does not mess with the firewall unless instructed to do so. Have you tested that the ports are actually opened up?
I should have clarified this. It does not open the ports, but I have setup my firewall to allow a range of IP and the traffic is still blocked.
I have noticed some inconsistency in the behavior, where the traffic would sometimes work upon ufw activation but never work upon reboot. Knowing how docker works, I thought podman would also mess with the firewall. But maybe the issue comes from something else.
I think you have an X/Y problem.
Rootless podman requires no special firewall management. Like docker, you mearly expose you want in the container, and if you want those ports accessible outside the machine, the firewall has to allow access - just like any other program.
How is your podman configured? To use pasta, or slirp4netns? I often have trouble with pasta - I merely haven’t spent the time to figure out the details of using it - so I always just switch (back) to slirp4netns, which was the original network tool. Do this in
/etc/containers/containers.conf, or dig intopastaand see if there’s something in there. The pasta package is actually called “passt.”Did you set up
subuidandsubgidcorrectly?Did you confirm you can access your services locally?
If you are using slirp4netns and have your account configured in subuid and subgid, then rootless podman should function as any other networking program, and you shouldn’t have any firewall issues.
As an aside, and just my humble opinion, I really hate firewalld. It makes firewall configurations complex and byzantine, and almost impossible to work with with other tools like nft. I’m sure it is great for some people, but anytime you add more complexity to a configuration, you add more opportunity for something to be incorrectly configured. I hate fighting with it, and have had times where I struggled to get it to open a port: I was in the wrong “zone”, or was in persistent mode rather than runtime mode, or whatever. It’s just unnecessary added complexity, and lately if the distro installs it I just uninstall it first thing and use nft.
If you followed the rootless podman wiki and everything else looks good, I’d look suspiciously at firewalld.
Yes maybe, I will edit my post to better explain the issue I’m facing.
I’m using pasta. I can see some weird, for instance some services can access other through host.containers.internal and for others, I have to use 192.168.1.x
That does sound like it’s something else.