I’ve recently learned that UFW firewall rules do not affect Docker containers. I am looking into learning firewall rules in depth but in the meantime I want make sure I don’t fuck something up, so here are a few questions:
1- On a host that drops all incoming connections (configured through UFW), if I have a container with only a single port mapping 127.0.0.1:8080:80 is there any way to access this container through the public internet, what about 8080:80 or no port mapping at all?
2- How do I drop all incoming connections to all Docker containers and do I need to do that? Similar to ufw default deny incoming?
3- Is there a way to see all incoming/outgoing connections of all containers?
Thanks in advance and any resource advice for securing docker for dummies is appreciated.
With Docker, the internal network is just a bridge interface. The reason most firewall rules don’t apply is a combination of:
The only thing that should be affected by the host firewall is the proxy service Docker uses to listen on a port on the host and send it to the container.
When using Docker, each container acts like an independent machine, and your host gets configured to act as a router. You can firewall Docker containers, the rules just need to be in the right place to work.
Thanks, just to clarify, even if I deny all forwards on the host using UFW, that still won’t have an affect on Docker because Docker inserts its rules above UFW rules. Correct?