VM Firewall implicitly allow ports... Why?

jeromequintard · July 19, 2024, 3:10pm

Hi there,

I have a docker-compose with two ports :

    ports:
    - 20517:20517/udp
    - 20519:20519/udp

My firewall (UFW- configuration deny all incoming packet except SSH :

Status: active
Default: deny (incoming), allow (outgoing), deny (routed)

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    Anywhere

Why the ports 20517 and 20519 are reachable from outside while the firewall do not allow them ? I don’t understand…

bluepuma77 · July 20, 2024, 12:28pm

Docker automatically updates standard firewall rules to allow incoming connection when you specify a port to be opened.

This is mostly for convenience for standard users. If you use ports:, you usually want to open the ports.

meyay · July 20, 2024, 1:16pm

Here are the docs: https://docs.docker.com/network/packet-filtering-firewalls/

You can generally deactivate that docker creates iptables rules for you by adding "iptables": false to /etc/docker/daemon.json (you need to create it and begin the file with a { and end it with }, if it doesn’t exist).

Though, if people want published ports only available from the local machine, they publish the ports with 127.0.0.1:20517:20517/udp, and don’t bother to disable docker’s iptables management at all.

jeromequintard · July 21, 2024, 11:53am

Thanks you so much for the explaination !

Topic		Replies	Views
Issue / lack of comprehension about docker and iptables mechanics General	0	1221	February 14, 2019
Need more clarifications for Firewall Prerequisites Docker Desktop docker , linux	1	384	July 25, 2024
Security docker and ufw setup - Vserver General	4	2602	December 5, 2022
Does it matter if Docker ignores UFW rules General	1	419	September 30, 2024
Trying to firewall outside worl from container services General	0	647	September 19, 2018

VM Firewall implicitly allow ports... Why?

Related topics