• @[email protected]
    link
    fedilink
    310 months ago

    What is a good firewall that can also block ports published with docker? I’d need it to run on the same host.

      • @[email protected]
        link
        fedilink
        210 months ago

        I remember trying with ufw and the docker ports were still open. Iirc I’ve read somewhere that docker and ufw both use the same underlying software, so ufw cannot block docker (IP tables?)

        • @[email protected]
          link
          fedilink
          110 months ago

          Hmm, not sure. I know with docker you can “mock” ports for the container, where the port the container sees is different than the port on the system. Maybe you can do something with that?

          • @[email protected]
            link
            fedilink
            110 months ago

            I can configure the containers in ways that don’t require ports to be published for the real network, but that’s always possible. It would still be nice to have a firewall that can block even those containers that try to publish their ports to the whole (real) network.

    • @[email protected]
      link
      fedilink
      210 months ago

      UFW does work with Docker, but requires some tweaking. IIRC you have to disallow Docker to modify IPTables and then add a rule to forward all traffic to the Docker network of your choice. It’s a little finicky but works.

    • @Crack0n7uesday
      link
      1
      edit-2
      10 months ago

      You want a virtual firewall. Is this for profit or just your science project because that’s going to change the answer. You might hate me, but I’m still gonna say it, Cisco…

    • @[email protected]
      link
      fedilink
      110 months ago

      Are your Docker containers connecting to the network (eg using ipvlan or macvlan)? The default bridge network driver doesn’t expose the container publicly unless you explicitly expose a port. If you don’t expose a port, the Docker container is only accessible from the host, not from any other system on the network.

        • @[email protected]
          link
          fedilink
          110 months ago

          If you don’t want the Docker container to be accessible from other systems then just don’t publish the port.

          • @[email protected]
            link
            fedilink
            110 months ago

            Yeah of course, that’s what I’m doing anyways, but the purpose of a firewall would be defense in depth, even is something were to be published, the firewall got it.