I just learned to use docker a bit and I would like to say that it is great. As I am using it on a Vserver I have got a security question.
First I have to say, that I am using ufw with the modification of: GitHub - chaifeng/ufw-docker: To fix the Docker and UFW security flaw without disabling iptables to make it work with docker. ufw-docker is running properly so far and doing its job.
For my containers I use a customnetwork (10.0.0.0/24), cause I don’t want docker to dhcp.
If I create firewall-rules for docker/dockercontainers I use the syntax (e.g.)
ufw route allow proto tcp from any to 10.0.0.3 port 443 comment 'Incoming all to NGINX Proxy'
10.0.0.3 = static IP of my docker-container (NGINX PM)
Question: Is it secure to allow traffic from external network directly to a docker container?
In my case the docker-container which is accessible from external is “only” the NGINX Proxy Manager.
The NPM itself is forwarding requests coming to defined FQDNs to the internal dockernetwork (customnetwork 10.0.0.x in my case)
Some DNS Question
I also noticed that containers running in my 10.0.0.x network are not able to resolve IPs until I give ufw a rule, that allows outgoing traffic from a container e.g:
10.0.0.5 = my Nextcloudcontainer
ufw route allow proto tcp from 10.0.0. 5 to any
Thank you very much!