• PlexSheep@feddit.de
    link
    fedilink
    arrow-up
    3
    ·
    10 months ago

    What is a good firewall that can also block ports published with docker? I’d need it to run on the same host.

      • PlexSheep@feddit.de
        link
        fedilink
        arrow-up
        2
        ·
        10 months ago

        I remember trying with ufw and the docker ports were still open. Iirc I’ve read somewhere that docker and ufw both use the same underlying software, so ufw cannot block docker (IP tables?)

        • iiGxC@slrpnk.net
          link
          fedilink
          arrow-up
          1
          ·
          10 months ago

          Hmm, not sure. I know with docker you can “mock” ports for the container, where the port the container sees is different than the port on the system. Maybe you can do something with that?

          • PlexSheep@feddit.de
            link
            fedilink
            arrow-up
            1
            ·
            10 months ago

            I can configure the containers in ways that don’t require ports to be published for the real network, but that’s always possible. It would still be nice to have a firewall that can block even those containers that try to publish their ports to the whole (real) network.

    • derpgon@programming.dev
      link
      fedilink
      arrow-up
      2
      ·
      10 months ago

      UFW does work with Docker, but requires some tweaking. IIRC you have to disallow Docker to modify IPTables and then add a rule to forward all traffic to the Docker network of your choice. It’s a little finicky but works.

    • Crack0n7uesday@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      10 months ago

      You want a virtual firewall. Is this for profit or just your science project because that’s going to change the answer. You might hate me, but I’m still gonna say it, Cisco…

    • dan@upvote.au
      link
      fedilink
      arrow-up
      1
      ·
      10 months ago

      Are your Docker containers connecting to the network (eg using ipvlan or macvlan)? The default bridge network driver doesn’t expose the container publicly unless you explicitly expose a port. If you don’t expose a port, the Docker container is only accessible from the host, not from any other system on the network.

        • dan@upvote.au
          link
          fedilink
          arrow-up
          1
          ·
          10 months ago

          If you don’t want the Docker container to be accessible from other systems then just don’t publish the port.

          • PlexSheep@feddit.de
            link
            fedilink
            arrow-up
            1
            ·
            10 months ago

            Yeah of course, that’s what I’m doing anyways, but the purpose of a firewall would be defense in depth, even is something were to be published, the firewall got it.