Your IP : 216.73.217.13
<!doctype html>
<html class="no-js" lang="en" data-content_root="../../">
<head><meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="color-scheme" content="light dark"><meta name="viewport" content="width=device-width, initial-scale=1" />
<meta property="og:title" content="How to configure your firewall" />
<meta property="og:type" content="website" />
<meta property="og:url" content="/howto/network_bridge_firewalld/" />
<meta property="og:site_name" content="LXD documentation" />
<meta property="og:description" content="Linux firewalls are based on netfilter. LXD uses the same subsystem, which can lead to connectivity issues. If you run a firewall on your system, you might need to configure it to allow network tra..." />
<meta property="og:image" content="https://documentation.ubuntu.com/lxd/latest/_static/lxd_tag.png" />
<meta property="og:image:alt" content="LXD documentation" />
<meta name="description" content="Linux firewalls are based on netfilter. LXD uses the same subsystem, which can lead to connectivity issues. If you run a firewall on your system, you might need to configure it to allow network tra..." />
<meta property="article:modified_time" content="2026-02-12T14:01:41+00:00" /><link rel="index" title="Index" href="../../genindex/"><link rel="search" title="Search" href="../../search/"><link rel="next" title="How to integrate with systemd-resolved" href="../network_bridge_resolved/"><link rel="prev" title="How to configure network zones" href="../network_zones/">
<link rel="canonical" href="/howto/network_bridge_firewalld/">
<link rel="shortcut icon" href="../../_static/favicon.ico"><!-- Generated with Sphinx 7.4.7 and Furo 2025.12.19 -->
<title>How to configure your firewall - LXD documentation</title>
<link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=d111a655" />
<link rel="stylesheet" type="text/css" href="../../_static/styles/furo.css?v=7bdb33bb" />
<link rel="stylesheet" type="text/css" href="../../_static/copybutton.css?v=76b2166b" />
<link rel="stylesheet" type="text/css" href="../../_static/config-options.css" />
<link rel="stylesheet" type="text/css" href="../../_static/related-links.css" />
<link rel="stylesheet" type="text/css" href="../../_static/terminal.css" />
<link rel="stylesheet" type="text/css" href="../../_static/youtube.css" />
<link rel="stylesheet" type="text/css" href="../../_static/sphinx-design.min.css?v=95c83b7e" />
<link rel="stylesheet" type="text/css" href="../../_static/styles/furo-extensions.css?v=8dab3a3b" />
<link rel="stylesheet" type="text/css" href="../../_static/lxd_custom.css?v=bfbf4da2" />
<link rel="stylesheet" type="text/css" href="../../_static/cookie-banner.css?v=b74831ab" />
<link rel="stylesheet" type="text/css" href="../../_static/custom.css?v=e189117a" />
<link rel="stylesheet" type="text/css" href="../../_static/header.css?v=a8078839" />
<link rel="stylesheet" type="text/css" href="../../_static/github_issue_links.css?v=3d761185" />
<link rel="stylesheet" type="text/css" href="../../_static/furo_colors.css?v=825fec6f" />
</head>
<body>
<header id="header" class="p-navigation">
<!-- Google Tag Manager -->
<script>
(function(w, d, s, l, i) {
w[l] = w[l] || [];
w[l].push({
'gtm.start': new Date().getTime(),
event: 'gtm.js'
});
var f = d.getElementsByTagName(s)[0];
var j = d.createElement(s);
var dl = '';
if (l != 'dataLayer') {
dl = '&l=' + l;
}
j.async = true;
j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl;
f.parentNode.insertBefore(j, f);
})(window, document, 'script', 'dataLayer', 'GTM-KNX3CJC');
</script>
<div class="p-navigation__nav" role="menubar">
<ul class="p-navigation__links" role="menu">
<li>
<a class="p-logo" href="https://canonical.com/lxd" aria-current="page">
<img src="../../_static/lxd_tag.png" alt="Logo" class="p-logo-image">
<div class="p-logo-text p-heading--4">LXD
</div>
</a>
</li>
<li class="nav-ubuntu-com">
<a href="https://canonical.com/lxd" class="p-navigation__link">canonical.com/lxd</a>
</li>
<li class="nav-dropdown">
<a href="#" class="p-navigation__link nav-more-links"
id="more-resources-toggle"
aria-haspopup="true"
aria-expanded="false">
More resources
</a>
<ul class="more-links-dropdown" aria-labelledby="more-resources-toggle">
<li>
<a href="https://discourse.ubuntu.com/c/lxd/" class="p-navigation__sub-link p-dropdown__link">Discourse</a>
</li>
<li>
<a href="https://matrix.to/#/#documentation:ubuntu.com" class="p-navigation__sub-link p-dropdown__link">Matrix</a>
</li>
<li>
<a href="https://github.com/canonical/lxd" class="p-navigation__sub-link p-dropdown__link">GitHub</a>
</li>
</ul>
</li>
</ul>
</div>
</header>
<script>
document.body.dataset.theme = localStorage.getItem("theme") || "auto";
</script>
<svg xmlns="http://www.w3.org/2000/svg" style="display: none;">
<symbol id="svg-toc" viewBox="0 0 24 24">
<title>Contents</title>
<svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 1024 1024">
<path d="M408 442h480c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8H408c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8zm-8 204c0 4.4 3.6 8 8 8h480c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8H408c-4.4 0-8 3.6-8 8v56zm504-486H120c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h784c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 632H120c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h784c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM115.4 518.9L271.7 642c5.8 4.6 14.4.5 14.4-6.9V388.9c0-7.4-8.5-11.5-14.4-6.9L115.4 505.1a8.74 8.74 0 0 0 0 13.8z"/>
</svg>
</symbol>
<symbol id="svg-menu" viewBox="0 0 24 24">
<title>Menu</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather-menu">
<line x1="3" y1="12" x2="21" y2="12"></line>
<line x1="3" y1="6" x2="21" y2="6"></line>
<line x1="3" y1="18" x2="21" y2="18"></line>
</svg>
</symbol>
<symbol id="svg-arrow-right" viewBox="0 0 24 24">
<title>Expand</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather-chevron-right">
<polyline points="9 18 15 12 9 6"></polyline>
</svg>
</symbol>
<symbol id="svg-sun" viewBox="0 0 24 24">
<title>Light mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="feather-sun">
<circle cx="12" cy="12" r="5"></circle>
<line x1="12" y1="1" x2="12" y2="3"></line>
<line x1="12" y1="21" x2="12" y2="23"></line>
<line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line>
<line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line>
<line x1="1" y1="12" x2="3" y2="12"></line>
<line x1="21" y1="12" x2="23" y2="12"></line>
<line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line>
<line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line>
</svg>
</symbol>
<symbol id="svg-moon" viewBox="0 0 24 24">
<title>Dark mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-moon">
<path stroke="none" d="M0 0h24v24H0z" fill="none" />
<path d="M12 3c.132 0 .263 0 .393 0a7.5 7.5 0 0 0 7.92 12.446a9 9 0 1 1 -8.313 -12.454z" />
</svg>
</symbol>
<symbol id="svg-sun-with-moon" viewBox="0 0 24 24">
<title>Auto light/dark, in light mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round"
class="icon-custom-derived-from-feather-sun-and-tabler-moon">
<path style="opacity: 50%" d="M 5.411 14.504 C 5.471 14.504 5.532 14.504 5.591 14.504 C 3.639 16.319 4.383 19.569 6.931 20.352 C 7.693 20.586 8.512 20.551 9.25 20.252 C 8.023 23.207 4.056 23.725 2.11 21.184 C 0.166 18.642 1.702 14.949 4.874 14.536 C 5.051 14.512 5.231 14.5 5.411 14.5 L 5.411 14.504 Z"/>
<line x1="14.5" y1="3.25" x2="14.5" y2="1.25"/>
<line x1="14.5" y1="15.85" x2="14.5" y2="17.85"/>
<line x1="10.044" y1="5.094" x2="8.63" y2="3.68"/>
<line x1="19" y1="14.05" x2="20.414" y2="15.464"/>
<line x1="8.2" y1="9.55" x2="6.2" y2="9.55"/>
<line x1="20.8" y1="9.55" x2="22.8" y2="9.55"/>
<line x1="10.044" y1="14.006" x2="8.63" y2="15.42"/>
<line x1="19" y1="5.05" x2="20.414" y2="3.636"/>
<circle cx="14.5" cy="9.55" r="3.6"/>
</svg>
</symbol>
<symbol id="svg-moon-with-sun" viewBox="0 0 24 24">
<title>Auto light/dark, in dark mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round"
class="icon-custom-derived-from-feather-sun-and-tabler-moon">
<path d="M 8.282 7.007 C 8.385 7.007 8.494 7.007 8.595 7.007 C 5.18 10.184 6.481 15.869 10.942 17.24 C 12.275 17.648 13.706 17.589 15 17.066 C 12.851 22.236 5.91 23.143 2.505 18.696 C -0.897 14.249 1.791 7.786 7.342 7.063 C 7.652 7.021 7.965 7 8.282 7 L 8.282 7.007 Z"/>
<line style="opacity: 50%" x1="18" y1="3.705" x2="18" y2="2.5"/>
<line style="opacity: 50%" x1="18" y1="11.295" x2="18" y2="12.5"/>
<line style="opacity: 50%" x1="15.316" y1="4.816" x2="14.464" y2="3.964"/>
<line style="opacity: 50%" x1="20.711" y1="10.212" x2="21.563" y2="11.063"/>
<line style="opacity: 50%" x1="14.205" y1="7.5" x2="13.001" y2="7.5"/>
<line style="opacity: 50%" x1="21.795" y1="7.5" x2="23" y2="7.5"/>
<line style="opacity: 50%" x1="15.316" y1="10.184" x2="14.464" y2="11.036"/>
<line style="opacity: 50%" x1="20.711" y1="4.789" x2="21.563" y2="3.937"/>
<circle style="opacity: 50%" cx="18" cy="7.5" r="2.169"/>
</svg>
</symbol>
<symbol id="svg-pencil" viewBox="0 0 24 24">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-pencil-code">
<path d="M4 20h4l10.5 -10.5a2.828 2.828 0 1 0 -4 -4l-10.5 10.5v4" />
<path d="M13.5 6.5l4 4" />
<path d="M20 21l2 -2l-2 -2" />
<path d="M17 17l-2 2l2 2" />
</svg>
</symbol>
<symbol id="svg-eye" viewBox="0 0 24 24">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-eye-code">
<path stroke="none" d="M0 0h24v24H0z" fill="none" />
<path d="M10 12a2 2 0 1 0 4 0a2 2 0 0 0 -4 0" />
<path
d="M11.11 17.958c-3.209 -.307 -5.91 -2.293 -8.11 -5.958c2.4 -4 5.4 -6 9 -6c3.6 0 6.6 2 9 6c-.21 .352 -.427 .688 -.647 1.008" />
<path d="M20 21l2 -2l-2 -2" />
<path d="M17 17l-2 2l2 2" />
</svg>
</symbol>
</svg>
<input type="checkbox" class="sidebar-toggle" name="__navigation" id="__navigation" aria-label="Toggle site navigation sidebar">
<input type="checkbox" class="sidebar-toggle" name="__toc" id="__toc" aria-label="Toggle table of contents sidebar">
<label class="overlay sidebar-overlay" for="__navigation"></label>
<label class="overlay toc-overlay" for="__toc"></label>
<a class="skip-to-content muted-link" href="#furo-main-content">Skip to content</a>
<div class="page">
<header class="mobile-header">
<div class="header-left">
<label class="nav-overlay-icon" for="__navigation">
<span class="icon"><svg><use href="#svg-menu"></use></svg></span>
</label>
</div>
<div class="header-center">
<a href="../../"><div class="brand">LXD documentation</div></a>
</div>
<div class="header-right">
<div class="theme-toggle-container theme-toggle-header">
<button class="theme-toggle" aria-label="Toggle Light / Dark / Auto color theme">
<svg class="theme-icon-when-auto-light"><use href="#svg-sun-with-moon"></use></svg>
<svg class="theme-icon-when-auto-dark"><use href="#svg-moon-with-sun"></use></svg>
<svg class="theme-icon-when-dark"><use href="#svg-moon"></use></svg>
<svg class="theme-icon-when-light"><use href="#svg-sun"></use></svg>
</button>
</div>
<label class="toc-overlay-icon toc-header-icon" for="__toc">
<span class="icon"><svg><use href="#svg-toc"></use></svg></span>
</label>
</div>
</header>
<aside class="sidebar-drawer">
<div class="sidebar-container">
<div class="sidebar-sticky"><a class="sidebar-brand" href="../../">
<span class="sidebar-brand-text">LXD documentation</span>
</a><form class="sidebar-search-container" method="get" action="../../search/" role="search">
<input class="sidebar-search" placeholder="Search" name="q" aria-label="Search">
<input type="submit" value="Go">
<input type="hidden" name="check_keywords" value="yes">
<input type="hidden" name="area" value="default">
</form>
<div id="searchbox"></div><div class="sidebar-scroll"><div class="sidebar-tree">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../">LXD</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../tutorial/first_steps/">Tutorial</a></li>
<li class="toctree-l1 current has-children"><a class="reference internal" href="../">How-to guides</a><input aria-label="Toggle navigation of How-to guides" checked="" class="toctree-checkbox" id="toctree-checkbox-1" name="toctree-checkbox-1" role="switch" type="checkbox"/><label for="toctree-checkbox-1"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul class="current">
<li class="toctree-l2 has-children"><a class="reference internal" href="../../getting_started/">Getting started</a><input aria-label="Toggle navigation of Getting started" class="toctree-checkbox" id="toctree-checkbox-2" name="toctree-checkbox-2" role="switch" type="checkbox"/><label for="toctree-checkbox-2"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../installing/">Install LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../initialize/">Initialize LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../access_ui/">Access the UI</a></li>
<li class="toctree-l3"><a class="reference internal" href="../access_documentation/">Access documentation locally</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../operation/">LXD server and client</a><input aria-label="Toggle navigation of LXD server and client" class="toctree-checkbox" id="toctree-checkbox-3" name="toctree-checkbox-3" role="switch" type="checkbox"/><label for="toctree-checkbox-3"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../server_expose/">Expose LXD to the network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../server_configure/">Configure the LXD server</a></li>
<li class="toctree-l3 has-children"><a class="reference internal" href="../oidc/">Configure single sign-on with OIDC</a><input aria-label="Toggle navigation of Configure single sign-on with OIDC" class="toctree-checkbox" id="toctree-checkbox-4" name="toctree-checkbox-4" role="switch" type="checkbox"/><label for="toctree-checkbox-4"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l4"><a class="reference internal" href="../oidc_auth0/">How to configure Auth0</a></li>
<li class="toctree-l4"><a class="reference internal" href="../oidc_ory/">How to configure Ory Hydra</a></li>
<li class="toctree-l4"><a class="reference internal" href="../oidc_keycloak/">How to configure Keycloak</a></li>
<li class="toctree-l4"><a class="reference internal" href="../oidc_entra_id/">How to configure Entra ID</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../../remotes/">Add remote servers</a></li>
<li class="toctree-l3"><a class="reference internal" href="../lxc_alias/">Add command aliases</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../instances/">Instances</a><input aria-label="Toggle navigation of Instances" class="toctree-checkbox" id="toctree-checkbox-5" name="toctree-checkbox-5" role="switch" type="checkbox"/><label for="toctree-checkbox-5"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../instances_create/">Create instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_configure/">Configure instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_manage/">Manage instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../profiles/">Use profiles</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_troubleshoot/">Troubleshoot errors</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_ubuntu_pro_attach/">Auto attach Ubuntu Pro</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_access_files/">Access files</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_console/">Access the console</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../instance-exec/">Run commands</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../cloud-init/">Use cloud-init</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_routed_nic_vm/">Add a routed NIC to a VM</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_backup/">Back up instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_migrate/">Migrate instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../import_machines_to_instances/">Import existing machines</a></li>
<li class="toctree-l3"><a class="reference internal" href="../container_gpu_passthrough_with_docker/">Pass NVIDIA GPUs</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../images/">Images</a><input aria-label="Toggle navigation of Images" class="toctree-checkbox" id="toctree-checkbox-6" name="toctree-checkbox-6" role="switch" type="checkbox"/><label for="toctree-checkbox-6"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../images_remote/">Use remote images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../images_manage/">Manage images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../images_profiles/">Associate profiles</a></li>
<li class="toctree-l3"><a class="reference internal" href="../images_copy/">Copy and import images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../images_create/">Create images</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../projects/">Projects</a><input aria-label="Toggle navigation of Projects" class="toctree-checkbox" id="toctree-checkbox-7" name="toctree-checkbox-7" role="switch" type="checkbox"/><label for="toctree-checkbox-7"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../projects_create/">Create and configure</a></li>
<li class="toctree-l3"><a class="reference internal" href="../projects_work/">Work with projects</a></li>
<li class="toctree-l3"><a class="reference internal" href="../projects_confine/">Confine users to projects</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../storage/">Storage</a><input aria-label="Toggle navigation of Storage" class="toctree-checkbox" id="toctree-checkbox-8" name="toctree-checkbox-8" role="switch" type="checkbox"/><label for="toctree-checkbox-8"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../storage_pools/">Manage pools</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_volumes/">Manage volumes</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_buckets/">Manage buckets</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_create_instance/">Create an instance in a pool</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_backup_volume/">Back up a volume</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_move_volume/">Move or copy a volume</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_csi/">Use the LXD CSI driver with Kubernetes</a></li>
</ul>
</li>
<li class="toctree-l2 current has-children"><a class="reference internal" href="../../networks/">Networking</a><input aria-label="Toggle navigation of Networking" checked="" class="toctree-checkbox" id="toctree-checkbox-9" name="toctree-checkbox-9" role="switch" type="checkbox"/><label for="toctree-checkbox-9"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="../network_create/">Create a network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_configure/">Configure a network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_bgp/">Configure as BGP server</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_acls/">Configure network ACLs</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_forwards/">Configure forwards</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_zones/">Configure network zones</a></li>
<li class="toctree-l3 current"><a class="current reference internal" href="#">Configure your firewall</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_bridge_resolved/">Integrate with resolved</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_ovn_setup/">Set up OVN</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_load_balancers/">Configure load balancers</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_ovn_peers/">Configure peer routing</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_ipam/">Display IPAM information</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../clustering/">Clustering</a><input aria-label="Toggle navigation of Clustering" class="toctree-checkbox" id="toctree-checkbox-10" name="toctree-checkbox-10" role="switch" type="checkbox"/><label for="toctree-checkbox-10"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../cluster_form/">Form a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_manage/">Manage a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_config_networks/">Configure networks</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_config_storage/">Configure storage</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_manage_instance/">Manage instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_groups/">Set up cluster groups</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_placement_groups/">Use placement groups</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_recover/">Recover a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_vip/">Set up a highly available virtual IP</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../production-setup/">Production setup</a><input aria-label="Toggle navigation of Production setup" class="toctree-checkbox" id="toctree-checkbox-11" name="toctree-checkbox-11" role="switch" type="checkbox"/><label for="toctree-checkbox-11"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../benchmark_performance/">Benchmark performance</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_increase_bandwidth/">Increase bandwidth</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../metrics/">Monitor metrics</a></li>
<li class="toctree-l3"><a class="reference internal" href="../logs_loki/">Send logs to Loki</a></li>
<li class="toctree-l3"><a class="reference internal" href="../grafana/">Set up Grafana</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../backup/">Back up a server</a></li>
<li class="toctree-l3"><a class="reference internal" href="../disaster_recovery/">Recover instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../disaster_recovery_replication/">Disaster recovery with storage replication</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../snap/">Manage the snap</a></li>
<li class="toctree-l2"><a class="reference internal" href="../security_harden/">Harden security</a></li>
<li class="toctree-l2 current has-children"><a class="reference internal" href="../troubleshoot/">Troubleshooting</a><input aria-label="Toggle navigation of Troubleshooting" checked="" class="toctree-checkbox" id="toctree-checkbox-12" name="toctree-checkbox-12" role="switch" type="checkbox"/><label for="toctree-checkbox-12"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul class="current">
<li class="toctree-l3 current current-page"><a class="current reference internal" href="#">Configure your firewall</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_troubleshoot/">Troubleshoot instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../dqlite_troubleshoot/">Troubleshoot Dqlite</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../debugging/">Debug LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../faq/">Frequently asked</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../support/">Get support</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../contributing/">Contribute to LXD</a></li>
<li class="toctree-l2"><a class="reference internal" href="../auth_bearer/">How to authenticate to the LXD API using bearer tokens</a></li>
<li class="toctree-l2"><a class="reference internal" href="../devlxd_authenticate/">How to authenticate to the DevLXD API</a></li>
</ul>
</li>
<li class="toctree-l1 has-children"><a class="reference internal" href="../../explanation/">Explanation</a><input aria-label="Toggle navigation of Explanation" class="toctree-checkbox" id="toctree-checkbox-13" name="toctree-checkbox-13" role="switch" type="checkbox"/><label for="toctree-checkbox-13"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/lxd_lxc/"><code class="docutils literal notranslate"><span class="pre">lxd</span></code> and <code class="docutils literal notranslate"><span class="pre">lxc</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/instances/">Containers and VMs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../image-handling/">Local and remote images</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/storage/">Storage pools, volumes, and buckets</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/networks/">Networking setups</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../database/">The LXD Dqlite database</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/lxc_show_info/"><code class="docutils literal notranslate"><span class="pre">lxc</span></code> <code class="docutils literal notranslate"><span class="pre">show</span></code> and <code class="docutils literal notranslate"><span class="pre">info</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../authentication/">Remote API authentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/authorization/">Remote API authorization</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/projects/">Instances grouping with projects</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/clusters/">Clusters</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/performance_tuning/">Performance tuning</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/security/">Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/bpf/">Privilege delegation using BPF Token</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/csi/">The LXD CSI driver</a></li>
</ul>
</li>
<li class="toctree-l1 has-children"><a class="reference internal" href="../../reference/">Reference</a><input aria-label="Toggle navigation of Reference" class="toctree-checkbox" id="toctree-checkbox-14" name="toctree-checkbox-14" role="switch" type="checkbox"/><label for="toctree-checkbox-14"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l2"><a class="reference internal" href="../../requirements/">Requirements</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../architectures/">Architectures</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/release-notes/">Release notes</a><input aria-label="Toggle navigation of Release notes" class="toctree-checkbox" id="toctree-checkbox-15" name="toctree-checkbox-15" role="switch" type="checkbox"/><label for="toctree-checkbox-15"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/release-notes/release-notes-6.7/">LXD 6.7</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/release-notes/release-notes-6.6/">LXD 6.6</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/releases-snap/">Releases and snap</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/remote_image_servers/">Remote image servers</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/image_format/">Image format</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../guest-os-compatibility/">Guest OS compatibility</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../container-environment/">Container environment</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../config-options/">Configuration option index</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../server/">Server configuration</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../explanation/instance_config/">Instance configuration</a><input aria-label="Toggle navigation of Instance configuration" class="toctree-checkbox" id="toctree-checkbox-16" name="toctree-checkbox-16" role="switch" type="checkbox"/><label for="toctree-checkbox-16"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/instance_properties/">Instance properties</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/instance_options/">Instance options</a></li>
<li class="toctree-l3 has-children"><a class="reference internal" href="../../reference/devices/">Devices</a><input aria-label="Toggle navigation of Devices" class="toctree-checkbox" id="toctree-checkbox-17" name="toctree-checkbox-17" role="switch" type="checkbox"/><label for="toctree-checkbox-17"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l4"><a class="reference internal" href="../../reference/standard_devices/">Standard devices</a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_none/">Type: <code class="docutils literal notranslate"><span class="pre">none</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_nic/">Type: <code class="docutils literal notranslate"><span class="pre">nic</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_disk/">Type: <code class="docutils literal notranslate"><span class="pre">disk</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_unix_char/">Type: <code class="docutils literal notranslate"><span class="pre">unix-char</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_unix_block/">Type: <code class="docutils literal notranslate"><span class="pre">unix-block</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_usb/">Type: <code class="docutils literal notranslate"><span class="pre">usb</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_gpu/">Type: <code class="docutils literal notranslate"><span class="pre">gpu</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_infiniband/">Type: <code class="docutils literal notranslate"><span class="pre">infiniband</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_proxy/">Type: <code class="docutils literal notranslate"><span class="pre">proxy</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_unix_hotplug/">Type: <code class="docutils literal notranslate"><span class="pre">unix-hotplug</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_tpm/">Type: <code class="docutils literal notranslate"><span class="pre">tpm</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_pci/">Type: <code class="docutils literal notranslate"><span class="pre">pci</span></code></a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/instance_units/">Units for storage and network limits</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/preseed_yaml_fields/">Preseed YAML file fields</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/projects/">Project configuration</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/storage_drivers/">Storage drivers</a><input aria-label="Toggle navigation of Storage drivers" class="toctree-checkbox" id="toctree-checkbox-18" name="toctree-checkbox-18" role="switch" type="checkbox"/><label for="toctree-checkbox-18"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_dir/">Directory - <code class="docutils literal notranslate"><span class="pre">dir</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_btrfs/">Btrfs - <code class="docutils literal notranslate"><span class="pre">btrfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_lvm/">LVM - <code class="docutils literal notranslate"><span class="pre">lvm</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_zfs/">ZFS - <code class="docutils literal notranslate"><span class="pre">zfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_ceph/">Ceph RBD - <code class="docutils literal notranslate"><span class="pre">ceph</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_powerflex/">Dell PowerFlex - <code class="docutils literal notranslate"><span class="pre">powerflex</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_pure/">Pure Storage - <code class="docutils literal notranslate"><span class="pre">pure</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_alletra/">HPE Alletra - <code class="docutils literal notranslate"><span class="pre">alletra</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_cephfs/">CephFS - <code class="docutils literal notranslate"><span class="pre">cephfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_cephobject/">Ceph Object - <code class="docutils literal notranslate"><span class="pre">cephobject</span></code></a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/networks/">Networks</a><input aria-label="Toggle navigation of Networks" class="toctree-checkbox" id="toctree-checkbox-19" name="toctree-checkbox-19" role="switch" type="checkbox"/><label for="toctree-checkbox-19"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_bridge/">Bridge network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_ovn/">OVN network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_macvlan/">Macvlan network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_physical/">Physical network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_sriov/">SR-IOV network</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/cluster_member_config/">Cluster configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/placement_groups/">Placement group configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/server_settings/">Production server settings</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/provided_metrics/">Provided metrics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/permissions/">Permissions</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../restapi_landing/">REST API</a><input aria-label="Toggle navigation of REST API" class="toctree-checkbox" id="toctree-checkbox-20" name="toctree-checkbox-20" role="switch" type="checkbox"/><label for="toctree-checkbox-20"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../rest-api/">Main API documentation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../api/">Main API specification</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../api-extensions/">Main API extensions</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../events/">Events API documentation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../dev-lxd/">Instance API</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/driver_csi/">LXD CSI driver reference</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/manpages/">Man pages</a><input aria-label="Toggle navigation of Man pages" class="toctree-checkbox" id="toctree-checkbox-21" name="toctree-checkbox-21" role="switch" type="checkbox"/><label for="toctree-checkbox-21"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/manpages/lxc/"><code class="docutils literal notranslate"><span class="pre">lxc</span></code></a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../internals/">Internals</a><input aria-label="Toggle navigation of Internals" class="toctree-checkbox" id="toctree-checkbox-22" name="toctree-checkbox-22" role="switch" type="checkbox"/><label for="toctree-checkbox-22"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../environment/">Environment variables</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/uefi_variables/">UEFI variables for VMs</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../daemon-behavior/">Daemon behavior</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../syscall-interception/">System call interception</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../userns-idmap/">User namespace setup</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/ovn-internals/">OVN implementation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/vm_live_migration_internals/">VM live migration implementation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/dqlite-internals/">Dqlite</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference external" href="https://github.com/canonical/lxd">Project repository</a></li>
<li class="toctree-l2"><a class="reference external" href="https://images.lxd.canonical.com">Image server</a></li>
</ul>
</li>
</ul>
</div>
</div>
</div>
</div>
</aside>
<div class="main">
<div class="content">
<div class="article-container">
<a href="#" class="back-to-top muted-link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
<path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12z"></path>
</svg>
<span>Back to top</span>
</a>
<div class="content-icon-container">
<div class="edit-this-page">
<a class="muted-link" href="https://github.com/canonical/lxd/edit/main/doc/howto/network_bridge_firewalld.md" title="Contribute to this page">
<svg><use href="#svg-pencil"></use></svg>
<span class="visually-hidden">Contribute to this page</span>
</a>
</div><div class="theme-toggle-container theme-toggle-content">
<button class="theme-toggle" aria-label="Toggle Light / Dark / Auto color theme">
<svg class="theme-icon-when-auto-light"><use href="#svg-sun-with-moon"></use></svg>
<svg class="theme-icon-when-auto-dark"><use href="#svg-moon-with-sun"></use></svg>
<svg class="theme-icon-when-dark"><use href="#svg-moon"></use></svg>
<svg class="theme-icon-when-light"><use href="#svg-sun"></use></svg>
</button>
</div>
<label class="toc-overlay-icon toc-content-icon" for="__toc">
<span class="icon"><svg><use href="#svg-toc"></use></svg></span>
</label>
</div>
<article role="main" id="furo-main-content">
<section id="how-to-configure-your-firewall">
<span id="network-bridge-firewall"></span><h1>How to configure your firewall<a class="headerlink" href="#how-to-configure-your-firewall" title="Link to this heading">¶</a></h1>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>This guide applies to managed bridge networks only.</p>
</div>
<p>Linux firewalls are based on <code class="docutils literal notranslate"><span class="pre">netfilter</span></code>.
LXD uses the same subsystem, which can lead to connectivity issues.</p>
<p>If you run a firewall on your system, you might need to configure it to allow network traffic between the managed LXD bridge and the host.
Otherwise, some network functionality (DHCP, DNS and external network access) might not work as expected.</p>
<p>You might also see conflicts between the rules defined by your firewall (or another application) and the firewall rules that LXD adds.
For example, your firewall might erase LXD rules if it is started after the LXD daemon, which might interrupt network connectivity to the instance.</p>
<section id="xtables-vs-nftables">
<h2><code class="docutils literal notranslate"><span class="pre">xtables</span></code> vs. <code class="docutils literal notranslate"><span class="pre">nftables</span></code><a class="headerlink" href="#xtables-vs-nftables" title="Link to this heading">¶</a></h2>
<p>There are different userspace commands to add rules to <code class="docutils literal notranslate"><span class="pre">netfilter</span></code>: <code class="docutils literal notranslate"><span class="pre">xtables</span></code> (<code class="docutils literal notranslate"><span class="pre">iptables</span></code> for IPv4 and <code class="docutils literal notranslate"><span class="pre">ip6tables</span></code> for IPv6) and <code class="docutils literal notranslate"><span class="pre">nftables</span></code>.</p>
<p><code class="docutils literal notranslate"><span class="pre">xtables</span></code> provides an ordered list of rules, which might cause issues if multiple systems add and remove entries from the list.
<code class="docutils literal notranslate"><span class="pre">nftables</span></code> adds the ability to separate rules into namespaces, which helps to separate rules from different applications.
However, if a packet is blocked in one namespace, it is not possible for another namespace to allow it.
Therefore, rules in one namespace can still affect rules in another namespace, and firewall applications can still impact LXD network functionality.</p>
<p>If your system supports and uses <code class="docutils literal notranslate"><span class="pre">nftables</span></code>, LXD detects this and switches to <code class="docutils literal notranslate"><span class="pre">nftables</span></code> mode.
In this mode, LXD adds its rules into the <code class="docutils literal notranslate"><span class="pre">nftables</span></code>, using its own <code class="docutils literal notranslate"><span class="pre">nftables</span></code> namespace.</p>
</section>
<section id="use-lxd-s-firewall">
<h2>Use LXD’s firewall<a class="headerlink" href="#use-lxd-s-firewall" title="Link to this heading">¶</a></h2>
<p>By default, managed LXD bridges add firewall rules to ensure full functionality.
If you do not run another firewall on your system, you can let LXD manage its firewall rules.</p>
<p>To enable or disable this behavior, use the <code class="docutils literal notranslate"><span class="pre">ipv4.firewall</span></code> or <code class="docutils literal notranslate"><span class="pre">ipv6.firewall</span></code> <a class="reference internal" href="../../reference/network_bridge/#network-bridge-options"><span class="std std-ref">configuration options</span></a>.</p>
</section>
<section id="use-another-firewall">
<h2>Use another firewall<a class="headerlink" href="#use-another-firewall" title="Link to this heading">¶</a></h2>
<p>Firewall rules added by other applications might interfere with the firewall rules that LXD adds.
Therefore, if you use another firewall, you should disable LXD’s firewall rules.
You must also configure your firewall to allow network traffic between the instances and the LXD bridge, so that the LXD instances can access the DHCP and DNS server that LXD runs on the host.</p>
<p>See the following sections for instructions on how to disable LXD’s firewall rules and how to properly configure <code class="docutils literal notranslate"><span class="pre">firewalld</span></code> and UFW, respectively.</p>
<section id="disable-lxd-s-firewall-rules">
<h3>Disable LXD’s firewall rules<a class="headerlink" href="#disable-lxd-s-firewall-rules" title="Link to this heading">¶</a></h3>
<p>Run the following commands to prevent LXD from setting firewall rules for a specific network bridge (for example, <code class="docutils literal notranslate"><span class="pre">lxdbr0</span></code>):</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>lxc network set <network_bridge> ipv6.firewall false
lxc network set <network_bridge> ipv4.firewall false
</pre></div>
</div>
</section>
<section id="firewalld-add-the-bridge-to-the-trusted-zone">
<h3><code class="docutils literal notranslate"><span class="pre">firewalld</span></code>: Add the bridge to the trusted zone<a class="headerlink" href="#firewalld-add-the-bridge-to-the-trusted-zone" title="Link to this heading">¶</a></h3>
<p>To allow traffic to and from the LXD bridge in <code class="docutils literal notranslate"><span class="pre">firewalld</span></code>, add the bridge interface to the <code class="docutils literal notranslate"><span class="pre">trusted</span></code> zone.
To do this permanently (so that it persists after a reboot), run the following commands:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>sudo firewall-cmd --zone=trusted --change-interface=<network_bridge> --permanent
sudo firewall-cmd --reload
</pre></div>
</div>
<p>For example:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>sudo firewall-cmd --zone=trusted --change-interface=lxdbr0 --permanent
sudo firewall-cmd --reload
</pre></div>
</div>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<!-- Include start warning -->
<p>The commands given above show a simple example configuration.
Depending on your use case, you might need more advanced rules and the example configuration might inadvertently introduce a security risk.</p>
<!-- Include end warning -->
</div>
</section>
<section id="ufw-add-rules-for-the-bridge">
<h3>UFW: Add rules for the bridge<a class="headerlink" href="#ufw-add-rules-for-the-bridge" title="Link to this heading">¶</a></h3>
<p>If UFW has a rule to drop all unrecognized traffic, it blocks the traffic to and from the LXD bridge.
In this case, you must add rules to allow traffic to and from the bridge, as well as allowing traffic forwarded to it.</p>
<p>To do so, run the following commands:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>sudo ufw allow in on <network_bridge>
sudo ufw route allow in on <network_bridge>
sudo ufw route allow out on <network_bridge>
</pre></div>
</div>
<p>For example:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>sudo ufw allow in on lxdbr0
sudo ufw route allow in on lxdbr0
sudo ufw route allow out on lxdbr0
</pre></div>
</div>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>The commands given above show a simple example configuration.
Depending on your use case, you might need more advanced rules and the example configuration might inadvertently introduce a security risk.</p>
<p>Here’s an example for more restrictive firewall rules that limit access from the guests to the host to only DHCP and DNS and allow all outbound connections:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># allow the guest to get an IP from the LXD host</span>
<span class="n">sudo</span> <span class="n">ufw</span> <span class="n">allow</span> <span class="ow">in</span> <span class="n">on</span> <span class="n">lxdbr0</span> <span class="n">to</span> <span class="nb">any</span> <span class="n">port</span> <span class="mi">67</span> <span class="n">proto</span> <span class="n">udp</span>
<span class="n">sudo</span> <span class="n">ufw</span> <span class="n">allow</span> <span class="ow">in</span> <span class="n">on</span> <span class="n">lxdbr0</span> <span class="n">to</span> <span class="nb">any</span> <span class="n">port</span> <span class="mi">547</span> <span class="n">proto</span> <span class="n">udp</span>
<span class="c1"># allow the guest to resolve host names from the LXD host</span>
<span class="n">sudo</span> <span class="n">ufw</span> <span class="n">allow</span> <span class="ow">in</span> <span class="n">on</span> <span class="n">lxdbr0</span> <span class="n">to</span> <span class="nb">any</span> <span class="n">port</span> <span class="mi">53</span>
<span class="c1"># allow the guest to have access to outbound connections</span>
<span class="n">CIDR4</span><span class="o">=</span><span class="s2">"$(lxc network get lxdbr0 ipv4.address | sed 's|\.[0-9]\+/|.0/|')"</span>
<span class="n">CIDR6</span><span class="o">=</span><span class="s2">"$(lxc network get lxdbr0 ipv6.address | sed 's|:[0-9]\+/|:/|')"</span>
<span class="n">sudo</span> <span class="n">ufw</span> <span class="n">route</span> <span class="n">allow</span> <span class="ow">in</span> <span class="n">on</span> <span class="n">lxdbr0</span> <span class="kn">from</span><span class="w"> </span><span class="s2">"$</span><span class="si">{CIDR4}</span><span class="s2">"</span>
<span class="n">sudo</span> <span class="n">ufw</span> <span class="n">route</span> <span class="n">allow</span> <span class="ow">in</span> <span class="n">on</span> <span class="n">lxdbr0</span> <span class="kn">from</span><span class="w"> </span><span class="s2">"$</span><span class="si">{CIDR6}</span><span class="s2">"</span>
</pre></div>
</div>
</div>
</section>
</section>
<section id="prevent-connectivity-issues-with-lxd-and-docker">
<span id="network-lxd-docker"></span><h2>Prevent connectivity issues with LXD and Docker<a class="headerlink" href="#prevent-connectivity-issues-with-lxd-and-docker" title="Link to this heading">¶</a></h2>
<p>Running LXD and Docker on the same host can cause connectivity issues.
A common reason for these issues is that Docker sets the global FORWARD policy to <code class="docutils literal notranslate"><span class="pre">drop</span></code>, which prevents LXD from forwarding traffic and thus causes the instances to lose network connectivity.
See <a class="reference external" href="https://docs.docker.com/engine/network/packet-filtering-firewalls/#docker-on-a-router">Docker on a router</a> for detailed information.</p>
<p>There are multiple ways to work around this problem:</p>
<dl class="simple myst">
<dt>Enable IPv4 forwarding</dt><dd><p>To prevent Docker from modifying the global FORWARD policy, you can enable IPv4 forwarding <em>before</em> the Docker service starts. LXD bridge networks normally enable this setting, but if LXD starts after Docker, then Docker will already have modified the global FORWARD policy.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>For Docker versions prior to 28.0, enabling IPv4 forwarding can cause Docker container ports to be reachable from any machine on your local network. This is no longer the case since Docker 28.0. For details, see the <a class="reference external" href="https://www.docker.com/blog/docker-engine-28-hardening-container-networking-by-default/">announcement from Docker</a>.</p>
</div>
<p>Enable IPv4 forwarding with the following <code class="docutils literal notranslate"><span class="pre">sysctl</span></code> setting:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>net.ipv4.conf.all.forwarding=1
</pre></div>
</div>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>You must make this setting persistent across host reboots.</p>
<p>One way to ensure this is to add a file in the <code class="docutils literal notranslate"><span class="pre">/etc/sysctl.d/</span></code> directory by running the following commands:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>echo "net.ipv4.conf.all.forwarding=1" > /etc/sysctl.d/99-forwarding.conf
systemctl restart systemd-sysctl
</pre></div>
</div>
</div>
</dd>
<dt>Allow egress network traffic flows</dt><dd><p>If you do not want the Docker container ports to be potentially reachable from any machine on your local network, you can apply a more complex solution provided by Docker.</p>
<p>Use the following commands to explicitly allow egress network traffic flows from your LXD managed bridge interface:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>iptables -I DOCKER-USER -i <network_bridge> -j ACCEPT
ip6tables -I DOCKER-USER -i <network_bridge> -j ACCEPT
iptables -I DOCKER-USER -o <network_bridge> -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -I DOCKER-USER -o <network_bridge> -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
</pre></div>
</div>
<p>For example, if your LXD managed bridge is called <code class="docutils literal notranslate"><span class="pre">lxdbr0</span></code>, you can allow egress traffic to flow using the following commands:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>iptables -I DOCKER-USER -i lxdbr0 -j ACCEPT
ip6tables -I DOCKER-USER -i lxdbr0 -j ACCEPT
iptables -I DOCKER-USER -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -I DOCKER-USER -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
</pre></div>
</div>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>You must make these firewall rules persistent across host reboots.
How to do this depends on your Linux distribution.</p>
</div>
</dd>
<dt>Uninstall Docker</dt><dd><p>To avoid issues with Docker entirely, uninstall Docker from the system that runs LXD and restart the system.
You can run Docker inside a LXD container or virtual machine instead.</p>
<p>See <a class="reference external" href="https://www.youtube.com/watch?v=_fCSSEyiGro">Running Docker inside of a LXD container</a> for detailed information.</p>
</dd>
</dl>
</section>
</section>
</article>
</div>
<footer>
<div class="related-pages">
<a class="next-page" href="../network_bridge_resolved/">
<div class="page-info">
<div class="context">
<span>Next</span>
</div>
<div class="title">How to integrate with <code class="docutils literal notranslate"><span class="pre">systemd-resolved</span></code></div>
</div>
<svg class="furo-related-icon"><use href="#svg-arrow-right"></use></svg>
</a>
<a class="prev-page" href="../network_zones/">
<svg class="furo-related-icon"><use href="#svg-arrow-right"></use></svg>
<div class="page-info">
<div class="context">
<span>Previous</span>
</div>
<div class="title">How to configure network zones</div>
</div>
</a>
</div>
<div class="bottom-of-page">
<div class="left-details">
<div class="copyright">
© 2014-2026 AGPL-3.0, LXD contributors
</div><div class="last-updated">
Last updated on Feb 12, 2026</div>
</div>
<div class="right-details">
<a href="" class="js-revoke-cookie-manager muted-link">Manage your tracker settings</a>
</div>
</footer>
</div>
<aside class="toc-drawer">
<div class="toc-sticky toc-scroll">
<div class="toc-title-container">
<span class="toc-title">
Contents
</span>
</div>
<div class="toc-tree-container">
<div class="toc-tree">
<ul>
<li><a class="reference internal" href="#">How to configure your firewall</a><ul>
<li><a class="reference internal" href="#xtables-vs-nftables"><code class="docutils literal notranslate"><span class="pre">xtables</span></code> vs. <code class="docutils literal notranslate"><span class="pre">nftables</span></code></a></li>
<li><a class="reference internal" href="#use-lxd-s-firewall">Use LXD’s firewall</a></li>
<li><a class="reference internal" href="#use-another-firewall">Use another firewall</a><ul>
<li><a class="reference internal" href="#disable-lxd-s-firewall-rules">Disable LXD’s firewall rules</a></li>
<li><a class="reference internal" href="#firewalld-add-the-bridge-to-the-trusted-zone"><code class="docutils literal notranslate"><span class="pre">firewalld</span></code>: Add the bridge to the trusted zone</a></li>
<li><a class="reference internal" href="#ufw-add-rules-for-the-bridge">UFW: Add rules for the bridge</a></li>
</ul>
</li>
<li><a class="reference internal" href="#prevent-connectivity-issues-with-lxd-and-docker">Prevent connectivity issues with LXD and Docker</a></li>
</ul>
</li>
</ul>
</div>
</div>
<div class="relatedlinks-title-container">
<span class="relatedlinks-title">
Related links
</span>
</div>
<div class="relatedlinks-container">
<div class="relatedlinks">
<ul><li><a href="https://discuss.linuxcontainers.org/t/10034" target="_blank">Lxd bridge doesn't work with IPv4 and UFW with nftables</a></li><li><a href="https://discuss.linuxcontainers.org/t/9953" target="_blank">LXD and Docker Firewall Redux - How to deal with FORWARD policy set to drop</a></li></ul>
</div>
</div>
</div>
</aside>
</div>
</div><script src="../../_static/jquery.js?v=5d32c60e"></script>
<script src="../../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
<script src="../../_static/documentation_options.js?v=a5603611"></script>
<script src="../../_static/doctools.js?v=9a2dae69"></script>
<script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="../../_static/scripts/furo.js?v=46bd48cc"></script>
<script src="../../_static/clipboard.min.js?v=a7894cd8"></script>
<script src="../../_static/copybutton.js?v=b01cb6f2"></script>
<script src="../../_static/config-options.js"></script>
<script src="../../_static/design-tabs.js?v=f930bc37"></script>
<script src="../../_static/js/bundle.js?v=a4d88309"></script>
<script src="../../_static/header-nav.js?v=e117ad08"></script>
<script src="../../_static/github_issue_links.js?v=32bb732f"></script>
<script>
const github_url = "https://github.com/canonical/lxd";
</script>
</body>
</html>