UFW does work with Docker, but requires some tweaking. IIRC you have to disallow Docker to modify IPTables and then add a rule to forward all traffic to the Docker network of your choice. It’s a little finicky but works.
Are your Docker containers connecting to the network (eg using ipvlan or macvlan)? The default bridge network driver doesn’t expose the container publicly unless you explicitly expose a port. If you don’t expose a port, the Docker container is only accessible from the host, not from any other system on the network.
You want a virtual firewall. Is this for profit or just your science project because that’s going to change the answer. You might hate me, but I’m still gonna say it, Cisco…
I remember trying with ufw and the docker ports were still open. Iirc I’ve read somewhere that docker and ufw both use the same underlying software, so ufw cannot block docker (IP tables?)
Hmm, not sure. I know with docker you can “mock” ports for the container, where the port the container sees is different than the port on the system. Maybe you can do something with that?
What is a good firewall that can also block ports published with docker? I’d need it to run on the same host.
UFW does work with Docker, but requires some tweaking. IIRC you have to disallow Docker to modify IPTables and then add a rule to forward all traffic to the Docker network of your choice. It’s a little finicky but works.
Interesting, I might have to read up on that next time. Thanks
But…why?
Project Calico is designed for segmenting network traffic between kubernetes workloads.
Right tool for the job.
Also if you are a Fortinet shop, supposedly you can manage rules with FortiManager. I haven’t tried that yet but it looks really cool.
Are your Docker containers connecting to the network (eg using ipvlan or macvlan)? The default bridge network driver doesn’t expose the container publicly unless you explicitly expose a port. If you don’t expose a port, the Docker container is only accessible from the host, not from any other system on the network.
They are Only in my docker bridge networks and have a few published ports
If you don’t want the Docker container to be accessible from other systems then just don’t publish the port.
You want a virtual firewall. Is this for profit or just your science project because that’s going to change the answer. You might hate me, but I’m still gonna say it, Cisco…
Ufw should work, jus
ufw block/limit/allow port numberI remember trying with ufw and the docker ports were still open. Iirc I’ve read somewhere that docker and ufw both use the same underlying software, so ufw cannot block docker (IP tables?)
Hmm, not sure. I know with docker you can “mock” ports for the container, where the port the container sees is different than the port on the system. Maybe you can do something with that?