this post was submitted on 23 Oct 2024
17 points (90.5% liked)

Selfhosted

40487 readers
185 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I've recently learned that UFW firewall rules do not affect Docker containers. I am looking into learning firewall rules in depth but in the meantime I want make sure I don't fuck something up, so here are a few questions:

1- On a host that drops all incoming connections (configured through UFW), if I have a container with only a single port mapping 127.0.0.1:8080:80 is there any way to access this container through the public internet, what about 8080:80 or no port mapping at all?

2- How do I drop all incoming connections to all Docker containers and do I need to do that? Similar to ufw default deny incoming?

3- Is there a way to see all incoming/outgoing connections of all containers?

Thanks in advance and any resource advice for securing docker for dummies is appreciated.

you are viewing a single comment's thread
view the rest of the comments
[–] Dangerhart@lemm.ee 1 points 1 month ago (1 children)

I too read that it didn't work with docker but that was not my experience on Ubuntu 24.04. Maybe it's just docker desktop but I had all sorts of other issues with docker desktop and ditched it for plain docker, using lazydocker for an interface. I think one of the issues for outgoing connections at least is that IPs for the containers can change. I don't remember exactly what my setup is currently but you shouldn't have an issue opening up just specific ports mapped to a container while having default deny incoming. Not specific to containers but there are a few different Linux commands to get all ports and the processes listening on them, I used them extensively to debug my firewall setup. I can't remember them either off the top of my head but you should be able to google for your distro.

[–] Dangerhart@lemm.ee 1 points 1 month ago* (last edited 1 month ago)

To add, you may not need to worry too much about setting up a firewall if your machine is behind a router/gateway that also has a firewall. There are arguments both ways, I would suggest researching that some. I did it because I could so why not, but I also only have wireguard exposed publicly so it may be over kill