On 19.08.2023 16:48, Alex wrote:
I'm a long-time Linux sysadmin but haven't done much with docker and
containers or firewalls beyond iptables. I have inherited a fedora38
system where another admin has installed python3-docker, but port 8080
is now exposed to the Internet.
I have a basic iptables firewall that I set up some time ago (when the
system was probably fedora35), but iptables also shows some docker rules:
# iptables -nvL|grep ^Chain|grep DOCKER
Chain DOCKER (2 references)
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
Where do these chains/policies come from? Is it also an iptables
firewall or is it using ufw?
Why wouldn't it use firewall-cmd? Isn't that the default desktop
firewall app now for fedora?
The docker doesn't play well with ufw or firewalld, in my experience.
It customizes rules directly, which makes it difficult to control with
publicly available networks. The simplest way to do firewall
customization is to turn off firewall customization in the docker and do
Firstly, update docker.service to include the following option
ExecStart=/usr/bin/dockerd -H fd://
Restart the Docker service and verify the existence of the Docker zone
if using firewalld:
interfaces: br-custom1 br-custom2 docker0
Add the available docker bridge interfaces (br-custom* and docker0) to
the docker zone. Check if the target zone is ACCEPT instead of default.
I hope that helps.
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue