this post was submitted on 07 Dec 2025
101 points (93.2% liked)

Selfhosted

53506 readers
500 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
101
Docker security (lemmy.zip)
submitted 1 day ago* (last edited 1 day ago) by jobbies@lemmy.zip to c/selfhosted@lemmy.world
49 comments fedilink hide all child comments
 

You're probably already aware of this, but if you run Docker on linux and use ufw or firewalld - it will bypass all your firewall rules. It doesn't matter what your defaults are or how strict you are about opening ports; Docker has free reign to send and receive from the host as it pleases.

If you are good at manipulating iptables there is a way around this, but it also affects outgoing traffic and could interfere with the bridge. Unless you're a pointy head with a fetish for iptables this will be a world of pain, so isn't really a solution.

There is a tool called ufw-docker that mitigates this by manipulating iptables for you. I was happy with this as a solution and it used to work well on my rig, but for some unknown reason its no-longer working and Docker is back to doing its own thing.

Am I missing an obvious solution here?

It seems odd for a popular tool like Docker - that is also used by enterprise - not to have a pain-free way around this.

you are viewing a single comment's thread
view the rest of the comments
[–] davad@lemmy.world 10 points 1 day ago* (last edited 1 day ago) (2 children)

In an enterprise setting, you shouldn't trust the server firewall. You lock that down with your network equipment.

Edit: sorry, I failed to read the whole post πŸ€¦β€β™‚οΈ. I don't have a good answer for you. When I used docker in my homelab, I exposed services using labels and a traefik container similar to this: https://docs.docker.com/guides/traefik/#using-traefik-with-docker

That doesn't protect you from accidentally exposing ports, but it helps make it more obvious when it happens.

[–] jobbies@lemmy.zip 11 points 1 day ago

In an enterprise setting, you shouldn't trust the server firewall. You lock that down with your network equipment.

I thought someone might say this, but it doesn't seem very zero-trust?

Ideally you'd still want the host to be as secure as humanly possible?

[–] renegadespork@lemmy.jelliefrontier.net 5 points 1 day ago

Yes, but having both in place can help mitigate lateral movement risk.