Context: Docker bypasses all UFW firewall rules
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
I DIDNT KNOW THAT! WOW, this puts “not to use network_mode: host” another level.
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
This is why I install on bare metal, baby!
-
I DIDNT KNOW THAT! WOW, this puts “not to use network_mode: host” another level.
network: hostgives the container basically full access to any port it wants. But even with other network modes you need to be careful, as any-p <external port>:<container port>creates the appropriate firewall rule automatically. -
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
You're forgetting the part where they had an option to disable this fuckery, and then proceeded to move it twice - exposing containers to everyone by default.
I had to clean up compromised services twice because of it.
-
This was a large part of the reason I switched to rootless podman for everything
My problem with podman is the incompatibility with portainer
Any recommendations?
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
Docker does not play fair, does not play nice. It’s a dozer that plow through everything for devops that yolo and rush to production.
-
My problem with podman is the incompatibility with portainer
Any recommendations?
CLI and Quadlet? /s but seriously, that's what I use lol
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
If I had a nickel for every database I've lost because I let docker broadcast its port on 0.0.0.0 I'd have about 35¢
-
My problem with podman is the incompatibility with portainer
Any recommendations?
cockpit has a podman/container extension you might like.
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
I've been playing with systemd-nspawn for my containers recently, and I've been enjoying it!
-
My problem with podman is the incompatibility with portainer
Any recommendations?
I assume portainer communicates via the docker socket? If so, couldn’t you just point portainer to the podman socket?
-
It’s my understanding that docker uses a lot of fuckery and hackery to do what they do. And IME they don’t seem to care if it breaks things.
I don’t know how much hackery and fuckery there is with docker specifically. The majority of what docker does was already present in the Linux kernel namespaces, cgroups etc. Docker just made it easier to build and ship the isolated environments between systems.
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
Wait, that's illegal
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
I mean if you're hosting anything publicly, you really should have a dedicated firewall
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
My impression from a recent crash course on Docker is that it got popular because it allows script kiddies to spin up services very fast without knowing how they work.
OWASP was like "you can follow these thirty steps to make Docker secure, or just run Podman instead." https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
Somehow I think that's on ufw not docker. A firewall shouldn't depend on applications playing by their rules.
-
Somehow I think that's on ufw not docker. A firewall shouldn't depend on applications playing by their rules.
ufw just manages iptables rules, if docker overrides those it's on them IMO
-
Somehow I think that's on ufw not docker. A firewall shouldn't depend on applications playing by their rules.
Docker spesifically creates rules for itself which are by default open to everyone. UFW (and underlying eftables/iptables) just does as it's told by the system root (via docker). I can't really blame the system when it does what it's told to do and it's been administrators job to manage that in a reasonable way since forever.
And (not related to linux or docker in any way) there's still big commercial software which highly paid consultants install and the very first thing they do is to turn the firewall off....
-
ufw just manages iptables rules, if docker overrides those it's on them IMO
Feels weird that an application is allowed to override iptables though. I get that when it's installed with root everything's off the table, but still....
-
cockpit has a podman/container extension you might like.
wrote last edited by [email protected]It's okay for simple things, but too simple for anything beyond that, IMO. One important issue is that unlike with Portainer you can't edit the container in any way without deleting it and configuring it again, which is quite annoying if you just want to change 1 environment variable (GH Issue). Perhaps they will add a quadlet config tool to cockpit sometime in the future.
