this post was submitted on 07 Dec 2025

105 points (92.7% liked)

Selfhosted

53539 readers

553 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

105

Docker security (lemmy.zip)

submitted 3 days ago* (last edited 3 days ago) by jobbies@lemmy.zip to c/selfhosted@lemmy.world

48 comments fedilink hide all child comments

You're probably already aware of this, but if you run Docker on linux and use ufw or firewalld - it will bypass all your firewall rules. It doesn't matter what your defaults are or how strict you are about opening ports; Docker has free reign to send and receive from the host as it pleases.

If you are good at manipulating iptables there is a way around this, but it also affects outgoing traffic and could interfere with the bridge. Unless you're a pointy head with a fetish for iptables this will be a world of pain, so isn't really a solution.

There is a tool called ufw-docker that mitigates this by manipulating iptables for you. I was happy with this as a solution and it used to work well on my rig, but for some unknown reason its no-longer working and Docker is back to doing its own thing.

Am I missing an obvious solution here?

It seems odd for a popular tool like Docker - that is also used by enterprise - not to have a pain-free way around this.

you are viewing a single comment's thread
view the rest of the comments

[+] GreenKnight23@lemmy.world -12 points 2 days ago (11 children)

this is the second time I've seen a post like this.

docker has always been like this. if it's news to you then you must be new to docker.

if you're using the built in firewall to secure your system on your wan, you're doing it wrong. get a physical firewall. if you're doing it to secure your lan then you just need to put in some proper routes and let your hardware firewall sort it out with some vlans.

don't rely on firewalld or iptables for anything.

[–] lukecyca@lemmy.ca 7 points 2 days ago (2 children)

What if you rent a bare metal server in a data center? Or rent a VPS from a basic provider that expects you to do your own firewalling? Or run your home lab docker host on the same vlan as other less trusted hosts?

It would be nice if there was a reliable way to run a firewall on the same host that’s running docker.

You may say these are obscure use cases and that they are Wrong and Bad. Maybe you’re right, but personally I think it’s an unfortunate gap in expected functionality, if for no other reason than defense-in-depth.

[–] wasabi@feddit.org -1 points 2 days ago

What if you rent a bare metal server in a data center?

Install proxmox and use its SDN/FW features?

[–] GreenKnight23@lemmy.world -5 points 2 days ago (1 children)

What if you rent a bare metal server in a data center?

any msp will work with your security requirements for a cost. if you can't afford it, then you shouldn't be using a msp.

Or rent a VPS from a basic provider that expects you to do your own firewalling?

find a better msp. if a vendor you're paying tells you to fuck off with your requirements for a secure system, they are telling you that you don't matter to them and their only goal is to take your money.

Or run your home lab docker host on the same vlan as other less trusted hosts?

don't? IDK what to tell you if you understand what a vlan is and still refuse to set one up properly to segment your network securely.

It would be nice if there was a reliable way to run a firewall on the same host that’s running docker.

don't confuse reliable with convenient. iptables and firewalld are not reliable, but they are certainly convenient.

You may say these are obscure use cases and that they are Wrong and Bad. Maybe you’re right, but personally I think it’s an unfortunate gap in expected functionality, if for no other reason than defense-in-depth.

poor network architecture is no excuse. do it the proper way or you're going to get your shit exposed one day.

[–] slazer2au@lemmy.world 1 points 2 days ago (1 children)

iptables and firewalld are not reliable

Can you give examples of that?

[–] GreenKnight23@lemmy.world 1 points 2 days ago (2 children)

anyone gaining physical or remote access to the device can set rules. by protecting the entire network with a hardware firewall you mitigate attack vectors from other hardware on your network that become compromised.
iptables and firewalld are notorious for locking users out of the system by overzealous or green system admins. in the msp world this happens practically by the hour.
iptables and firewalld can be used against you in the event of a breach. one of the first things an attacker may attempt is to forward ports and lock system admins out as they take over the system.
make sure you save your rules properly or they'll be gone after a reboot or botched upgrade
migrating your rules from one system to another when you're changing hardware or restoring a system is a huge pain in the ass.
got a network change that's going to modify the subnet your systems are on? get ready to migrate all 15 of your devices one by one for the next 8-15 hours (depending on the complexity of your rules)

it's far easier, and safer to have all your network config done in the network. from system migrations to securing/hardening. it's far more efficient and effective to have a single source of truth that manages network routing and firewall rules. hell, you can even have a redundant or load balanced firewall configuration if you're afraid of a single point of failure.

point is, firewalld and iptables is for amateur hour and hobbyists.

if you want to complain that "docker doesn't respect system firewalls" then at least have the chutzpah enough to do it the right way from the beginning.

[–] slazer2au@lemmy.world 2 points 2 days ago

None of those speak to the reliability of iptables. They all sound like skill issues.

In 15 years of network engineering iptables has been the simplest part.

A layered approach with hardware firewalls is valid but when those firewalls get popped, looking at you Cisco, Fortinet, and PA you still want host level restrictions.
Your firewall or switch should never be used as a jump host to servers

[–] atzanteol@sh.itjust.works 1 points 2 days ago (1 children)

point is, firewalld and iptables is for amateur hour and hobbyists.

Which is weird for you to say since practically all of the issues you list are mistakes that amateurs and hobbyists make.

[–] GreenKnight23@lemmy.world 1 points 2 days ago (1 children)

this is selfhosted. a community that's predominantly amateur or hobbyist.

[–] atzanteol@sh.itjust.works 1 points 1 day ago (1 children)

But absolutely none of the issues you listed are issues with iptables.

[–] GreenKnight23@lemmy.world 1 points 1 day ago (1 children)

I wouldn't go onto a teen community and spout off how to make explosives even though they're relatively safe to a trained individual.

same reason behind not allowing a hobbyist and amateur community to think that iptables and firewalld is the best/only solution.

it's dangerous and someone will get hurt eventually.

[–] atzanteol@sh.itjust.works 1 points 1 day ago

This is... Pretty stupid. There are things to be careful about but it's pretty straight forward to use iptables.

load more comments (8 replies)