Update: Docker Security - Host port mapping and firewalls

[suspiciousRaccoon]

What is missing or needs to be updated?

The Docker Cheatsheet doesn't mention that by default ports mapped to the host ignore UFW rules, leaving docker containers open. This is documented on the docker docs but it is buried in, and most of the time the user will make the mistake instead of reading it.

How should this be resolved?

Adding a section "Be careful when mapping container ports to the host with UFW" to the Docker cheatsheet.

Mapping to the localhost fixes this:
8000:8000 -> 127.0.0.1:8000:8000

Alternatively this ufw-docker repository contains the instructions for modifying UFW rules to disallow public traffic from interacting with docker networks. It also includes a small script to install the extra rules.

[jmanico]

seems reasonable to me, lets go PR!

[suspiciousRaccoon]

I'll open a draft PR on the weekend.

It might be better to word this as general problem with iptables/nftables based tools instead of only with UFW, since I also found similar problems while using CSF. I haven't tested anything that uses nftables though.

Another way of fixing this is by assigning a static ip to the container since by default all container ips are reachable from the host, at least with bridge networks:

services:
  nginx:
    image: nginx
    networks:
      nginx-net:
        ipv4_address: 10.10.0.2

networks:
  nginx-net:
    driver: bridge
    ipam:
      config:
        - subnet: 10.10.0.0/24

However I'm not sure if this should be included? Seems kinda niche although I found it useful for my use-case.

[suspiciousRaccoon]

Good morning. I saw that #2020 was opened. I left a review on that PR.

[jmanico]

We have a lot of AI bots in play now. Can you review 2020 to see if its legit? If not let me know and I'll drop it.

[mackowski]

thanks @suspiciousRaccoon for the help with review