Comments (3)
hi @chaifeng
thanks for your feedback.
What do you think about these rules?
I would prefer the following approach "allow rules first, block anything else".
# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:ufw-docker-logging-deny - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ufw-user-forward
# allow communication between containers
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16
# allow established connections (e.g. initiated by a container)
-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN -d 10.0.0.0/8
-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN -d 172.16.0.0/12
-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN -d 192.168.0.0/16
# block anything else
-A DOCKER-USER -j ufw-docker-logging-deny
-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP
COMMIT
# END UFW AND DOCKER
Only one concern I have is about the original rules, which have been widely deployed and tested in various environments.
I see your point. Nevertheless, in terms of security/firewalling it would make sense to default to the new rules. In addition, this approach makes the rules much more understandable and feels less hacky.
So, I'm thinking to update the documentation to include both sets of rules. Let users to choose which one they want to use.
Good point. I would add a deprecation mark for the old approach and highlight the drawbacks when using it.
from ufw-docker.
Hi @vodasams57
Thank you for your advice. It's helpful especially in handling UDP traffic. My original thought was to stop new connections from outside networks and can also defense against SYN Flood attacks. But you're right about the issues, especially with how we handle UDP.
If using conntrack
, I'm considering these new rules to block new connections by default:
-A DOCKER-USER --ctstate NEW -j DROP -d 192.168.0.0/16
-A DOCKER-USER --ctstate NEW -j DROP -d 10.0.0.0/8
-A DOCKER-USER --ctstate NEW -j DROP -d 172.16.0.0/12
What do you think about these rules?
Only one concern I have is about the original rules, which have been widely deployed and tested in various environments. It works in most of cases. So, I'm thinking to update the documentation to include both sets of rules. Let users to choose which one they want to use.
from ufw-docker.
hi @chaifeng
did you have time to have a look at my last comment?
from ufw-docker.
Related Issues (20)
- What do I need to do to expose the container to only one IP, please? Thanks. HOT 2
- Access own host HOT 7
- after6.rules? and How to allow 80/tcp from any CN-CIDR ?
- 容器解析域名失败
- no communication between docker containers HOT 8
- Add ufw limit
- 不能手动添加ip地址 HOT 6
- Allow Host exposed Ports not container ports HOT 1
- Blocked IP addresses still can access docker container (fail2ban) HOT 3
- Have to recreate ufw rules after docker restart HOT 1
- Containers still access internet HOT 1
- 172.16.0.0/12 - Should this be /16? HOT 3
- table `nat' is incompatible, use 'nft' tool HOT 1
- Does docker affect UFW if the services are running on loopback address?
- ufw to iptables wont block docker container access
- Can not access External IPs
- why不能在before中控制 HOT 1
- How to uninstall easily? HOT 3
- 172.17.0.0/16 as a ip space in which containers are created. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ufw-docker.