Package: lxc Version: 1:6.0.3-1 Severity: minor X-Debbugs-Cc: [email protected]
The /usr/libexec/lxc/lxc-net script adds some default firewall rules. But those don't specify a policy for the input chain so it gets an accept policy by default. That's not good. It also makes it a bit pointless that rules are then added that accepts DNS and DHCP traffic. The default configuration is to use RFC-1918 addresses for lxc guests and that makes it hard for traffic from the outside (I assume we can restrict ourselves to protect against that), but it's hard to be sure, and I guess it's also possible to configure the networking so LXC guests are more directly connected to the outside while still relying on that chain. -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-29-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages lxc depends on: ii debconf [debconf-2.0] 1.5.89 ii dnsmasq-base [dnsmasq-base] 2.91~test9-1 ii iproute2 6.13.0-1 ii libapparmor1 3.1.7-2 ii libc6 2.40-6 ii libcap2 1:2.66-5+b1 ii libdbus-1-3 1.16.0-1 ii libgcc-s1 14.2.0-17 ii liblxc-common 1:6.0.3-1 ii liblxc1t64 1:6.0.3-1 ii libseccomp2 2.5.5-2 ii libselinux1 3.8-3 ii nftables 1.1.1-1 Versions of packages lxc recommends: ii apparmor 3.1.7-2 ii debootstrap 1.0.140 ii dirmngr 2.2.46-1+b1 ii distrobuilder 3.1-1+b2 ii gnupg 2.2.46-1 ii libpam-cgfs 1:6.0.3-1 ii lxcfs 6.0.3-1 ii openssl 3.4.1-1 ii rsync 3.3.0+ds1-4 ii uidmap 1:4.16.0-7 ii wget 1.24.5-2+b1 Versions of packages lxc suggests: ii btrfs-progs 6.12-1+b1 pn criu <none> pn lvm2 <none> pn lxc-templates <none> pn python3-lxc <none> -- debconf information: lxc/auto_update_config:
