I use nftables to set my firewall rules. I typically manually configure the rules myself. Recently, I just happened to dump the ruleset, and, much to my surprise, my config was gone, and it was replaced with an enourmous amount of extremely cryptic firewall rules. After a quick examination of the rules, I found that it was Docker that had modified them. And after some brief research, I found a number of open issues, just like this one, of people complaining about this behaviour. I think it’s an enourmous security risk to have Docker silently do this by default.

I have heard that Podman doesn’t suffer from this issue, as it is daemonless. If that is true, I will certainly be switching from Docker to Podman.

  • Adam
    link
    fedilink
    English
    410 months ago

    Docker will have only exposed container ports if you told it to.

    If you used -p 8080:80 (cli) or - 8080:80 (docker-compose) then docker will have dutifully NAT’d those ports through your firewall. You can either not do either of those if it’s a port you don’t want exposed or as @[email protected] says below you can ensure it’s only mapped to localhost (or an otherwise non-public) IP.

    • Midnight Wolf
      link
      English
      110 months ago

      Thanks - more detailed reply below :)