What does HackerNews think of ufw-docker?
To fix the Docker and UFW security flaw without disabling iptables
Language:
Shell
[2016]
A solution is known and detailed here: https://github.com/chaifeng/ufw-docker
This helps https://github.com/chaifeng/ufw-docker
Docker does add iptables rules by default, which bypass other rules such as those you might set with ufw.
https://github.com/chaifeng/ufw-docker has a good overview and ufw-specific solution (I use it on my rpi).
Docker's behavior is unintutivie but makes sense given how container networking works. If you use UFW read https://github.com/chaifeng/ufw-docker and follow the guide.
Then configuring firewall rules to containers is as easy as
- name: Open HTTPS
ufw:
rule: allow
proto: tcp
route: true
port: 443I have been using ufw-docker script[1] to patch the ufw and docker issue on my servers. The docker containers are publically accessible even if you have ufw enabled and rules applied.
These days its better to use the hosting provider firewall on top of ufw. Leading providers like AWS, Hetzner etc all provide the feature to add firewall rules via their UI.
Here's the fix to prevent docker messing with ufw rules:
There's no problem if you use only basic iptables rules but ufw use iptables in a very complicated way. If you want ufw and docker to play well together, you have to disable docker's iptables manipulations or use ufw-docker as the author. More about that at ufw-docker documentation https://github.com/chaifeng/ufw-docker
For UFW users, installing this will make docker compatible with the firewall.
If I'm reading the docker-compose file correctly, this creates an open dns resolver that is accessible to the outside, as Docker by default bypasses the firewall, see https://github.com/chaifeng/ufw-docker. I'm not quite sure about that, though, so I'd be happy to be corrected and learn more about how your setup works exactly.