Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.

you are viewing a single comment's thread
view the rest of the comments

[–] grrgyle@slrpnk.net 1 points 5 days ago (1 children)

My use case was run a mongodb container on my local, while I run my FE+BE with fast live-reloading outside of a container. Then package it all up in services for docker compose on the remote.

[–] firelizzard@programming.dev 2 points 4 days ago (1 children)

Ok… but that doesn’t answer my question. Where are you physically when you’re working on this that people are attacking exposed ports? I’m either at home or in the office, and in either case there’s an external firewall between me and any assholes who want to exploit exposed ports. Are your roommates or coworkers those kinds of assholes? Or are you sitting in a coffee shop or something?

[–] grrgyle@slrpnk.net 1 points 4 days ago* (last edited 4 days ago) (1 children)

This was on a VPS (remote) where I didn't realise Docker was even capable of punching through UFW. I assumed (incorrectly) that if a port wasn't reversed proxied in my nginx config, then it would remain on localhost only.

Just run docker run -p 27017:27017 mongo:latest on a VPS and check the default collections after a few hours and you'll likely find they're replaced with a ransom message.

[–] firelizzard@programming.dev 2 points 4 days ago

Ah, when you said local I assumed you meant your physical device