What if you want a port to be exposed to some sources other than localhost. Surely UFW should allow you to have rules for specific hosts/ranges. Currently, exposing in docker exposes them completely and UFW is ignored.
That’s definitely a bug, or perhaps the Docker design flaw to not include external firewall support.
That doesn’t make sense. By design, Docker container lives withing the local system virtual private network and can be exposed to the external world via the host physical port.
Well as @xabbu highlighted, you can only use the supported firewall by Docker. You’ll probably need to use the not-easy-to-use iptables. That’s just the Docker firewall design for now; it lacks external firewall support like UFW.
No, that’s not the case. If you use -p 8000:8000 then on your host, you globally exposed port 8000 for any access. So, you should either not forward the port in the first place, or only for the host: -p 127.0.0.1:8000:8000.
If you have it open in the first case, you must use iptables and modify the DOCKER_USER chain.
I have tested firewalld and can confirm it works exactly as expected.
Using firewalld I can control access to the ports exposed by docker.
Time to migrate from UFW to firewalld.
Thanks for the tip @xabbu .
Edit/create /etc/docker/daemon.json with the following content:
{
"iptables": false
}
Next to that, if you really don’t want to expose a port from your container, do as @mithrial already wrote and only bind the port to the hosts loop-back interface instead off all interfaces:
-p 127.0.0.1:1234:80 instead of -p 1234:80 or -p 0.0.0.0:1234:80
I agree, the default docker config is pretty ugly though.
It seems if you delete the zone created by docker (called docker) things start to behave as expected.
Every time docker restarts it recreates the zone so I have created a file /etc/systemd/system/docker.service.d/overide.conf