I’ve recently learned that UFW firewall rules do not affect Docker containers. I am looking into learning firewall rules in depth but in the meantime I want make sure I don’t fuck something up, so here are a few questions:

1- On a host that drops all incoming connections (configured through UFW), if I have a container with only a single port mapping 127.0.0.1:8080:80 is there any way to access this container through the public internet, what about 8080:80 or no port mapping at all?

2- How do I drop all incoming connections to all Docker containers and do I need to do that? Similar to ufw default deny incoming?

3- Is there a way to see all incoming/outgoing connections of all containers?

Thanks in advance and any resource advice for securing docker for dummies is appreciated.

  • Dangerhart@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    8 days ago

    I too read that it didn’t work with docker but that was not my experience on Ubuntu 24.04. Maybe it’s just docker desktop but I had all sorts of other issues with docker desktop and ditched it for plain docker, using lazydocker for an interface. I think one of the issues for outgoing connections at least is that IPs for the containers can change. I don’t remember exactly what my setup is currently but you shouldn’t have an issue opening up just specific ports mapped to a container while having default deny incoming. Not specific to containers but there are a few different Linux commands to get all ports and the processes listening on them, I used them extensively to debug my firewall setup. I can’t remember them either off the top of my head but you should be able to google for your distro.

    • Dangerhart@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      8 days ago

      To add, you may not need to worry too much about setting up a firewall if your machine is behind a router/gateway that also has a firewall. There are arguments both ways, I would suggest researching that some. I did it because I could so why not, but I also only have wireguard exposed publicly so it may be over kill