Skip to main content

Home/ Larvata/ Group items tagged ufw

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
張 旭

chaifeng/ufw-docker: To fix the Docker and UFW security flaw without disabling iptables - 0 views

github.com/ufw-docker

iptables docker

shared by 張 旭 on 13 Jul 22 - No Cached
  • It requires to disable docker's iptables function first, but this also means that we give up docker's network management function.
  • This causes containers will not be able to access the external network.
  • such as -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE. But this only allows containers that belong to network 172.17.0.0/16 can access outside.
  • ...13 more annotations...
  • Don't need to disable Docker's iptables and let Docker to manage it's network.
  • The public network cannot access ports that published by Docker.
  • In a very convenient way to allow/deny public networks to access container ports without additional software and extra configurations
  • Enable Docker's iptables feature. Remove all changes like --iptables=false , including configuration file /etc/docker/daemon.json
  • Modify the UFW configuration file /etc/ufw/after.rules
  • There may be some unknown reasons cause the UFW rules will not take effect after restart UFW, please reboot servers.
  • If we publish a port by using option -p 8080:80, we should use the container port 80, not the host port 8080
  • allow the private networks to be able to visit each other.
  • The following rules block connection requests initiated by all public networks, but allow internal networks to access external networks.
  • Since the UDP protocol is stateless, it is not possible to block the handshake signal that initiates the connection request as TCP does.
  • For GNU/Linux we can find the local port range in the file /proc/sys/net/ipv4/ip_local_port_range. The default range is 32768 60999
  • It not only exposes ports of containers but also exposes ports of the host.
  • Cannot expose services running on hosts and containers at the same time by the same command.
  • 張 旭 on 13 Jul 22
     
    "It requires to disable docker's iptables function first, but this also means that we give up docker's network management function."
張 旭

The dangers of UFW + Docker | Viktor's ramblings - 0 views

blog.viktorpetersson.com/...the-dangers-of-ufw-docker.html

iptables docker ufw firewall

shared by 張 旭 on 13 Jul 22 - No Cached
  • UFW doesn’t tell you iptables true state (not shocking, but still).
  • 張 旭 on 13 Jul 22
     
    "UFW doesn't tell you iptables true state (not shocking, but still). "
1 - 2 of 2
Showing 20 items per page