You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to know how are things handled with UFW.
In general when I used to run docker and UFW together, Docker could totally bypass UFW.
What would be the status when running your hardening playbook and this one here?
Or perhaps, is it not considered a problem?
It seems that something like this would be necessary if it is useful to put docker containers behind UFW:
Disable Docker’s iptables Management:
In /etc/docker/daemon.json
{
"iptables": false
}
Restart the Docker service:
sudo systemctl restart docker
Enable UFW Forwarding:
Edit
/etc/default/ufw
and set:
DEFAULT_FORWARD_POLICY="ACCEPT"
Reload UFW:
sudo ufw reload
Allow Docker-Related Traffic in UFW:
Allow traffic for Docker containers by explicitly specifying the required ports or subnets:
sudo ufw allow in on docker0
sudo ufw allow out on docker0
The text was updated successfully, but these errors were encountered:
In general when I used to run docker and UFW together, Docker could totally bypass UFW. What would be the status when running your hardening playbook and this one here?
Regarding any solution it to acknowledge the issue and be sure to limit published ports manually.
To get consistent firewall management, consider manage_ufw: false and "manually" configure IPtables.
Otherwise I'd try and see which solution that works best for you.
Hi @konstruktoid !
I would like to know how are things handled with UFW.
In general when I used to run docker and UFW together, Docker could totally bypass UFW.
What would be the status when running your hardening playbook and this one here?
Or perhaps, is it not considered a problem?
It seems that something like this would be necessary if it is useful to put docker containers behind UFW:
Disable Docker’s iptables Management:
In
/etc/docker/daemon.json
Restart the Docker service:
Enable UFW Forwarding:
Edit
and set:
Reload UFW:
Allow Docker-Related Traffic in UFW:
Allow traffic for Docker containers by explicitly specifying the required ports or subnets:
The text was updated successfully, but these errors were encountered: