Context: Docker bypasses all UFW firewall rules
-
I DIDNT KNOW THAT! WOW, this puts “not to use network_mode: host” another level.
Actually I believe host networking would be the one case where this isn't an issue. Docker isn't adding iptables rules to do NAT masquerading because there is no IP forwarding being done.
When you tell docker to expose a port you can tell it to bind to loopback and this isn't an issue.
-
Did you allow the containers to talk to eachother with ufw after setting it up?
Yes, you can fix it by doing this
echo "Adding rules for Docker subnets to allow communication between containers..." for subnet in $(docker network inspect bridge -f '{{range .IPAM.Config}}{{.Subnet}} {{end}}'); sudo ufw allow from $subnet echo "Added rule for $subnet" done -
We use Firewalld integration with Docker instead due to issues with UFW. Didn't face any major issues with it.
I also ended up using firewalld and it mostly worked, although I first had to change some zone configs.
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
For all the raving about podman, it's dumb too. I've seen multiple container networks stupidly route traffic across each other when they shouldn't. Yay services kept running, but it defeats the purpose. Networking should be so hard that it doesn't work unless it is configured correctly.
-
For all the raving about podman, it's dumb too. I've seen multiple container networks stupidly route traffic across each other when they shouldn't. Yay services kept running, but it defeats the purpose. Networking should be so hard that it doesn't work unless it is configured correctly.
Or maybe it should be easy to configure correctly?
-
Do you mean a hardware firewall?
Basically yeah, though I didn't specify hardware because of how often virtualization is done now
-
Basically yeah, though I didn't specify hardware because of how often virtualization is done now
The VPS I'm using unfortunately doesn't offer an external firewall
-
So I happened to follow the advice from that Proxmox post, enabled the “Discard” option for the disk and ran
sudo fstrim /within the VM, now the Proxmox LVM-Thin partition is sitting at a comfortable 135Gb out of 377Gb.Think I’m going to use this
fstrimcommand on my main desktop to free up space.wrote last edited by [email protected]I think linux does fstrim oob.
edit: I meant to say linux distros are set up to do that automatically.
-
Also when using a rootfull Podman socket?
When running as root, I did not need to add the firewall rule.
-
My impression from a recent crash course on Docker is that it got popular because it allows script kiddies to spin up services very fast without knowing how they work.
OWASP was like "you can follow these thirty steps to make Docker secure, or just run Podman instead." https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
Another take: Why should I care about dependency hell if I can just spin up the same service on the same machine without needing an additional VM and with minimal configuration changes.
-
Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
Nat is not security.
Keep that in mind.
It's just a crutch ipv4 has to use because it's not as powerful as the almighty ipv6
-
Try podman and quadlets
What advantage does it have over nspawn?
-
Nat is not security.
Keep that in mind.
It's just a crutch ipv4 has to use because it's not as powerful as the almighty ipv6
-
When running as root, I did not need to add the firewall rule.
Thanks for checking
-
The VPS I'm using unfortunately doesn't offer an external firewall
Well, if you have the option you could set up a virtual network through the VPS and have a box with pfsense or something to route all traffic through. Take this with a grain of salt - I've seen this done but never done it fully myself.
-
Well, if you have the option you could set up a virtual network through the VPS and have a box with pfsense or something to route all traffic through. Take this with a grain of salt - I've seen this done but never done it fully myself.
I've just disabled all incoming connections (including SSH etc.) and access everything through WireGuard
-
Or maybe it should be easy to configure correctly?
instructions unclear, now its hard to use and to configure
-
I mean if you're hosting anything publicly, you really should have a dedicated firewall
have a dedicated firewall
I mean, don’t router firewalls count in this regard? Isn’t that kinda part of their job?
-
I think linux does fstrim oob.
edit: I meant to say linux distros are set up to do that automatically.
wrote last edited by [email protected]It’s been about a day since this issue and now I’ve been keeping a close eye on my local-lvm, it fills fast, like, ridiculously fast and I’ve been having to run
sudo fstrim /inside the VM just to keep it maintained. I’m finding it weird I’m now just noticing this as this server has been running for months!For now I edited my
/etc/bash.bashrcso whenever I ssh in it’ll automatically runsudo fstrim /, there is something I’m likely missing but this works as a temporary solution. -
I exposed them because I used the container for local development too. I just kept reseeding every time it got hacked before I figured I should actually look into security.
Where are you working that your local machine is regularly exposed to malicious traffic?
