Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.

you are viewing a single comment's thread
view the rest of the comments

[–] Lightfire228@pawb.social 5 points 5 days ago* (last edited 5 days ago)

Think of it more like pre-canned build scripts. I can just write a script (DockerFile), which tells docker how to prepare the environment for my app. Usually, this is just pulling the pre-canned image for the app, maybe with some extra dependencies pulled in.

This builds an image (a non-running snapshot of your environment), which can be used to run a container (the actual running app)

Then, i can write a config file (docker-compose.yaml) which tells docker how to configure everything about how the container talks to the host.

shared folders (volumes)
other containers it needs to talk to
network isolation and exposed ports

The benefit of this, is that I don't have to configure the host in any way to build / host the app (other than installing docker). Just push the project files and docker files, and docker takes care of everything else

This makes for a more reliable and dependable deploy

You can even develop the app locally without having any of the devtools installed on the host

As well, this makes your app platform agnostic. As long as it has docker, you don't need to touch your build scripts to deploy to a new host, regardless of OS

A second benefit is process isolation. Should your app rely on an insecure library, or should your app get compromised, you have a buffer between the compromised process and the host (like a light weight VM)