You’re probably already aware of this, but if you run Docker on linux and use ufw or firewalld - it will bypass all your firewall rules. It doesn’t matter what your defaults are or how strict you are about opening ports; Docker has free reign to send and receive from the host as it pleases.
If you are good at manipulating iptables there is a way around this, but it also affects outgoing traffic and could interfere with the bridge. Unless you’re a pointy head with a fetish for iptables this will be a world of pain, so isn’t really a solution.
There is a tool called ufw-docker that mitigates this by manipulating iptables for you. I was happy with this as a solution and it used to work well on my rig, but for some unknown reason its no-longer working and Docker is back to doing its own thing.
Am I missing an obvious solution here?
It seems odd for a popular tool like Docker - that is also used by enterprise - not to have a pain-free way around this.
this is the second time I’ve seen a post like this.
docker has always been like this. if it’s news to you then you must be new to docker.
if you’re using the built in firewall to secure your system on your wan, you’re doing it wrong. get a physical firewall. if you’re doing it to secure your lan then you just need to put in some proper routes and let your hardware firewall sort it out with some vlans.
don’t rely on firewalld or iptables for anything.
What if you rent a bare metal server in a data center? Or rent a VPS from a basic provider that expects you to do your own firewalling? Or run your home lab docker host on the same vlan as other less trusted hosts?
It would be nice if there was a reliable way to run a firewall on the same host that’s running docker.
You may say these are obscure use cases and that they are Wrong and Bad. Maybe you’re right, but personally I think it’s an unfortunate gap in expected functionality, if for no other reason than defense-in-depth.
any msp will work with your security requirements for a cost. if you can’t afford it, then you shouldn’t be using a msp.
find a better msp. if a vendor you’re paying tells you to fuck off with your requirements for a secure system, they are telling you that you don’t matter to them and their only goal is to take your money.
don’t? IDK what to tell you if you understand what a vlan is and still refuse to set one up properly to segment your network securely.
don’t confuse reliable with convenient. iptables and firewalld are not reliable, but they are certainly convenient.
poor network architecture is no excuse. do it the proper way or you’re going to get your shit exposed one day.