After years of running a homelab and using virtualization, I am finally dipping my toes into containers. Without going into all the details of my software and networking preferences, the short of it is that I use Debian 12 on my host with ufw to manage my firewall.
As has been posted in about a million places over the past 5 years or so, Docker and ufw are “incompatible” due to Docker inserting its rules into the iptables BEFORE ufw. I interpret “incompatible” as: Any rules defined in ufw will not apply to Docker ports exposed via a bridge network.
Does this actually matter in a homelab setting with a handful or so of managed containers?
The reason I ask is that the Packet filtering and firewalls documentation from Docker includes the following statements (emphasis mine):
- Port publishing and mapping
- "By default, for both IPv4 and IPv6, the daemon blocks access to ports that have not been published. Published container ports are mapped to host IP addresses. "
- Restrict external connections to containers
- “By default, all external source IPs are allowed to connect to ports that have been published to the Docker host’s addresses.”
My interpretation is that as long as a port is not mapped or exposed in my docker-compose.yaml file, it is just as good as being denied through ufw since the network the containers live on a docker bridge network type which is, by its very nature, isolated.
While acknowledging that if I map or expose 8080 for a container I would have no way to create an additional firewall rule on the host, but I don’t want to block that port anyways since I want to access it across my internal network. I simply won’t forward it on my internet gateway. If there are additional ports being used in the container, I simply do not map or expose them and they can not be accessed outside of the docker bridge network.
Is my interpretation correct? Am I making valid assumptions?
Thanks in advance.