I deployed docker on a VPS a few weeks ago as a sort of learning experience since I haven't really worked with containers much before. Today I learned that docker doesn't like firewalls.

Or, to be more specific, it adds rules to iptables that are applied prior to ufw rules, allowing external connections that I really didn't want to allow. If I don't explicitly specify that a port is to be published only to localhost, then it punches a hole through my firewall without telling me.

Which means that all of my containers running behind an nginx reverse proxy that auto-redirects to HTTPS... were also accessible directly via HTTP.

I'm... trying to think of a reason why this kind of default behavior was a good idea, but I'm drawing a blank.

Fucking Docker.

  • 0
    Yh, i was surprised as well. I just map ports to Socket files is also solution

    Edit: oh, you have the solution already. My bad
  • 0
    @rooter yeah, I ended up doing the same thing. Just spent an hour or two searching for solutions before finding that one. The most common solution seems to involve manually configuring iptables which is a headache I want to avoid.

    Hmm, I bet fail2ban isn't working either. Damn. Nobody's attempted to brute force my Bitwarden login yet but I should probably make sure.
  • 0
Add Comment