I’m writing this because it feels like what I’m having to do in production with firewalling in front of Docker goes against the overall purpose of containerization. Namely, using iptables or tools like UFW on the host is unpredictable for most users (unless they’re really familiar with docker networking). Wouldn’t we want all of the guides and history of use for a tool as widely used as iptables to apply to system running docker containers? Having our docker services affect our systems this way seems to break the idea of containerization. This seems to be at the level of complexity where maintaining secure docker services becomes an issue.
In short, I want to be more sure of firewall management, like I was when I ran my production software on the host, rather than docker containers. What if, for example, the iptables logic was all kept inside of docker containers? There must be a nice way of simplifying this and keeping host networking more predictable.
Thanks for your consideration.