I have my lab with about 70 docker containers running and I would like to prevent them from being able to have WAN access.
My current idea: Using MACVLAN attached them to a vlan being hosted from my firewall and setup the appropriate rules to prevent this vlan from accessing the internet.
Hi, segmentation is a great idea, especially for this much containers.
Depending on what else is running on the system, instead of MACVLAN, you can assign them a private network namespace via systemd or move any WAN access device into a dedicated network namespace where you only move other WAN access related programs into.
Search engine found me this which looks promising close to what I would look into when wanting to do something like this.