717
Firewall (lemmy.world)
you are viewing a single comment's thread
view the rest of the comments
[-] PlexSheep@feddit.de 3 points 10 months ago

What is a good firewall that can also block ports published with docker? I'd need it to run on the same host.

[-] iiGxC@slrpnk.net 3 points 10 months ago

Ufw should work, jus ufw block/limit/allow port number

[-] PlexSheep@feddit.de 2 points 10 months ago

I remember trying with ufw and the docker ports were still open. Iirc I've read somewhere that docker and ufw both use the same underlying software, so ufw cannot block docker (IP tables?)

[-] iiGxC@slrpnk.net 1 points 10 months ago

Hmm, not sure. I know with docker you can "mock" ports for the container, where the port the container sees is different than the port on the system. Maybe you can do something with that?

[-] PlexSheep@feddit.de 1 points 10 months ago

I can configure the containers in ways that don't require ports to be published for the real network, but that's always possible. It would still be nice to have a firewall that can block even those containers that try to publish their ports to the whole (real) network.

[-] derpgon@programming.dev 2 points 10 months ago

UFW does work with Docker, but requires some tweaking. IIRC you have to disallow Docker to modify IPTables and then add a rule to forward all traffic to the Docker network of your choice. It's a little finicky but works.

[-] JasonDJ@lemmy.zip 1 points 10 months ago

But…why?

Project Calico is designed for segmenting network traffic between kubernetes workloads.

Right tool for the job.

Also if you are a Fortinet shop, supposedly you can manage rules with FortiManager. I haven’t tried that yet but it looks really cool.

[-] derpgon@programming.dev 1 points 10 months ago

I was specifically talking about Docker+UFW. Of course the possibilities are endless.

[-] PlexSheep@feddit.de 1 points 10 months ago

Interesting, I might have to read up on that next time. Thanks

[-] tux7350@lemmy.world 1 points 10 months ago

I ran into this same situation, this repo helped me solve it.

https://github.com/chaifeng/ufw-docker#solving-ufw-and-docker-issues

[-] Crack0n7uesday@lemmy.world 1 points 10 months ago* (last edited 10 months ago)

You want a virtual firewall. Is this for profit or just your science project because that's going to change the answer. You might hate me, but I'm still gonna say it, Cisco....

[-] PlexSheep@feddit.de 1 points 10 months ago

For my homelab, and I'll only host OSS

[-] dan@upvote.au 1 points 10 months ago

Are your Docker containers connecting to the network (eg using ipvlan or macvlan)? The default bridge network driver doesn't expose the container publicly unless you explicitly expose a port. If you don't expose a port, the Docker container is only accessible from the host, not from any other system on the network.

[-] PlexSheep@feddit.de 1 points 10 months ago

They are Only in my docker bridge networks and have a few published ports

[-] dan@upvote.au 1 points 10 months ago

If you don't want the Docker container to be accessible from other systems then just don't publish the port.

[-] PlexSheep@feddit.de 1 points 10 months ago

Yeah of course, that's what I'm doing anyways, but the purpose of a firewall would be defense in depth, even is something were to be published, the firewall got it.

this post was submitted on 16 Feb 2024
717 points (97.6% liked)

Programmer Humor

32745 readers
127 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS