Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Functioning with UFW #512

Open
jdaln opened this issue Dec 3, 2024 · 2 comments
Open

Functioning with UFW #512

jdaln opened this issue Dec 3, 2024 · 2 comments
Assignees

Comments

@jdaln
Copy link

jdaln commented Dec 3, 2024

Hi @konstruktoid !

I would like to know how are things handled with UFW.

In general when I used to run docker and UFW together, Docker could totally bypass UFW.
What would be the status when running your hardening playbook and this one here?

Or perhaps, is it not considered a problem?

It seems that something like this would be necessary if it is useful to put docker containers behind UFW:

  1. Disable Docker’s iptables Management:

    • In /etc/docker/daemon.json

      {
        "iptables": false
      }
    • Restart the Docker service:

      sudo systemctl restart docker
      
  2. Enable UFW Forwarding:

    • Edit

      /etc/default/ufw
      

      and set:

      DEFAULT_FORWARD_POLICY="ACCEPT"
      
    • Reload UFW:

      sudo ufw reload
      
  3. Allow Docker-Related Traffic in UFW:

    • Allow traffic for Docker containers by explicitly specifying the required ports or subnets:

      sudo ufw allow in on docker0
      sudo ufw allow out on docker0
      
@konstruktoid
Copy link
Owner

In general when I used to run docker and UFW together, Docker could totally bypass UFW. What would be the status when running your hardening playbook and this one here?

Or perhaps, is it not considered a problem?

Hi!
Well, it's considered a problem (as stated in this classic https://vpetersson.com/2014/11/03/the-dangers-of-ufw-docker.html) since UFW doesn't have any idea about any iptables configuration done outside UFW.

Regarding any solution it to acknowledge the issue and be sure to limit published ports manually.
To get consistent firewall management, consider manage_ufw: false and "manually" configure IPtables.

Otherwise I'd try and see which solution that works best for you.

@jdaln
Copy link
Author

jdaln commented Dec 5, 2024

Thank you for the answer. I will give it a try in the coming weeks and come back here to share what I ended up with.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants