Does it matter if Docker ignores UFW rules

After years of running a homelab and using virtualization, I am finally dipping my toes into containers. Without going into all the details of my software and networking preferences, the short of it is that I use Debian 12 on my host with ufw to manage my firewall.

As has been posted in about a million places over the past 5 years or so, Docker and ufw are “incompatible” due to Docker inserting its rules into the iptables BEFORE ufw. I interpret “incompatible” as: Any rules defined in ufw will not apply to Docker ports exposed via a bridge network.

Does this actually matter in a homelab setting with a handful or so of managed containers?

The reason I ask is that the Packet filtering and firewalls documentation from Docker includes the following statements (emphasis mine):

  • Port publishing and mapping
    • "By default, for both IPv4 and IPv6, the daemon blocks access to ports that have not been published. Published container ports are mapped to host IP addresses. "
  • Restrict external connections to containers
    • “By default, all external source IPs are allowed to connect to ports that have been published to the Docker host’s addresses.”

My interpretation is that as long as a port is not mapped or exposed in my docker-compose.yaml file, it is just as good as being denied through ufw since the network the containers live on a docker bridge network type which is, by its very nature, isolated.

While acknowledging that if I map or expose 8080 for a container I would have no way to create an additional firewall rule on the host, but I don’t want to block that port anyways since I want to access it across my internal network. I simply won’t forward it on my internet gateway. If there are additional ports being used in the container, I simply do not map or expose them and they can not be accessed outside of the docker bridge network.

Is my interpretation correct? Am I making valid assumptions?

Thanks in advance.

If just “ignores” the rules, no, it doesn’t matter, but UFW can also reject communication between containers. If you know UFW and you are okay with changing the configuration when needed, you will probably not have a problem in the homelab, but if you have any network issue you can’t explain, try disabling UFW and see if that helps.

I had a project where we had some network communication issues. It was years ago, but I think the problem was caused by Docker and ufw on the same machine. Since it is a homelab, you can try it and test every kind of commnication you need. Also try rebooting the machine, forward ports to containers, and try to access containers from another container on the same network…

I quoted the word “ignores”, because it is about the order of the rules and which chain and table the rules are added to, but I know that the documentation uses the same word.

1 Like