Context: Docker bypasses all UFW firewall rules
-
eh, booting into single user mod should work fine, uninstall podman and init 5
wrote last edited by [email protected]Okay so I’ve done some digging and got my VM to boot up! This is not Podman’s fault, I got lazy setting up Proxmox and never really learned LVM volume storage, while internally on the VM it shows 90Gb used of 325Gb Proxmox is claiming 377Gb is used on the LVM-Thin partition.
I’m backing up my files as we speak, thinking of purging it all and starting over.
Edit: before I do the sacrificial purge This seems promising.
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
We use Firewalld integration with Docker instead due to issues with UFW. Didn't face any major issues with it.
-
That caused issues with Docker containers being unable to communicate with eachother for me.
Did you allow the containers to talk to eachother with ufw after setting it up?
-
Okay so I’ve done some digging and got my VM to boot up! This is not Podman’s fault, I got lazy setting up Proxmox and never really learned LVM volume storage, while internally on the VM it shows 90Gb used of 325Gb Proxmox is claiming 377Gb is used on the LVM-Thin partition.
I’m backing up my files as we speak, thinking of purging it all and starting over.
Edit: before I do the sacrificial purge This seems promising.
thinking of purging it all and starting over.
Don't do that. You'll learn nothing.
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
rootless podman and sockets
️ -
thinking of purging it all and starting over.
Don't do that. You'll learn nothing.
So I happened to follow the advice from that Proxmox post, enabled the “Discard” option for the disk and ran
sudo fstrim /within the VM, now the Proxmox LVM-Thin partition is sitting at a comfortable 135Gb out of 377Gb.Think I’m going to use this
fstrimcommand on my main desktop to free up space. -
I DIDNT KNOW THAT! WOW, this puts “not to use network_mode: host” another level.
Actually I believe host networking would be the one case where this isn't an issue. Docker isn't adding iptables rules to do NAT masquerading because there is no IP forwarding being done.
When you tell docker to expose a port you can tell it to bind to loopback and this isn't an issue.
-
Did you allow the containers to talk to eachother with ufw after setting it up?
Yes, you can fix it by doing this
echo "Adding rules for Docker subnets to allow communication between containers..." for subnet in $(docker network inspect bridge -f '{{range .IPAM.Config}}{{.Subnet}} {{end}}'); sudo ufw allow from $subnet echo "Added rule for $subnet" done -
We use Firewalld integration with Docker instead due to issues with UFW. Didn't face any major issues with it.
I also ended up using firewalld and it mostly worked, although I first had to change some zone configs.
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
For all the raving about podman, it's dumb too. I've seen multiple container networks stupidly route traffic across each other when they shouldn't. Yay services kept running, but it defeats the purpose. Networking should be so hard that it doesn't work unless it is configured correctly.
-
For all the raving about podman, it's dumb too. I've seen multiple container networks stupidly route traffic across each other when they shouldn't. Yay services kept running, but it defeats the purpose. Networking should be so hard that it doesn't work unless it is configured correctly.
Or maybe it should be easy to configure correctly?
-
Do you mean a hardware firewall?
Basically yeah, though I didn't specify hardware because of how often virtualization is done now
-
Basically yeah, though I didn't specify hardware because of how often virtualization is done now
The VPS I'm using unfortunately doesn't offer an external firewall
-
So I happened to follow the advice from that Proxmox post, enabled the “Discard” option for the disk and ran
sudo fstrim /within the VM, now the Proxmox LVM-Thin partition is sitting at a comfortable 135Gb out of 377Gb.Think I’m going to use this
fstrimcommand on my main desktop to free up space.wrote last edited by [email protected]I think linux does fstrim oob.
edit: I meant to say linux distros are set up to do that automatically.
-
Also when using a rootfull Podman socket?
When running as root, I did not need to add the firewall rule.
-
My impression from a recent crash course on Docker is that it got popular because it allows script kiddies to spin up services very fast without knowing how they work.
OWASP was like "you can follow these thirty steps to make Docker secure, or just run Podman instead." https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
Another take: Why should I care about dependency hell if I can just spin up the same service on the same machine without needing an additional VM and with minimal configuration changes.
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
Nat is not security.
Keep that in mind.
It's just a crutch ipv4 has to use because it's not as powerful as the almighty ipv6
-
Try podman and quadlets
What advantage does it have over nspawn?
-
Nat is not security.
Keep that in mind.
It's just a crutch ipv4 has to use because it's not as powerful as the almighty ipv6
