Hello everybody,

I have a security problem. I can’t isolate WEB to LANTOOL

Here is the context :
https://www.dropbox.com/s/2ithabmp9vuzjuu/Capture%20d%E2%80%99%C3%A9cran%20de%202020-11-20%2008-50-10.png?dl=0

I have a SERVER that manage many services. I need to make a DMZ network for Nginx and associated WEB services.

My docker-compose looks like :

networks:
dmz:
internal:
services:
…
networks:
- dmz
LANTOOL:
…
networks:
- internal

I need to allow these access :

• USER1 ↔ WEB - htp://SERVER:80/web/index.html
• WAN ↔ WEB - htpt://mydns.toto.net/web/index.html
• USER1 → LANTOOL - htp://SERVER:8080/lantool/index.html

and I need to deny :

• WEB → LANTOOL - both htp://SERVER:8080/lantool/index.html and htp://LANTOOL:8080/lantool/index.html

My security breach come from the deny access htp://SERVER:8080/lantool/index.html from WEB container…
An idea, for docker compose configuration to fix the problem ?
Alex

I found an easier solution with new firewall rules.

If WEB and LANTOOL are in the DMZ network, by default they will be able to communicate with each other. While Kubernetes has network policies to establish port filtering amongst pods, swarm or docker-compose do not have such a concept. Every container in a network is able to freely communicate with every other container in the same docker network.

What you experience is typical if you have a reverse proxy as entrypoint in a frontend network (e.g. dmz in your case) and add this frontend network to each container. To seperate the application networks from each other, you would need to add each application network to your reverse proxy container, instead of adding the fontend network to each application container.

If you don’t use a reverse proxy as entrypoint the whole dmz network seems useless, as it only introduces security problems, without realy surving a purpose?