Thank you all so much for the info. I'll work on this over the weekend.
On Tue, Aug 22, 2023 at 3:59 PM Daniel Walsh <dwalsh@xxxxxxxxxx> wrote:
On 8/20/23 10:05, Oleg Cherkasov wrote:
> On 19.08.2023 16:48, Alex wrote:
>> Hi,
>> I'm a long-time Linux sysadmin but haven't done much with docker and
>> containers or firewalls beyond iptables. I have inherited a fedora38
>> system where another admin has installed python3-docker, but port
>> 8080 is now exposed to the Internet.
>>
>> I have a basic iptables firewall that I set up some time ago (when
>> the system was probably fedora35), but iptables also shows some
>> docker rules:
>>
>> # iptables -nvL|grep ^Chain|grep DOCKER
>> Chain DOCKER (2 references)
>> Chain DOCKER-ISOLATION-STAGE-1 (1 references)
>> Chain DOCKER-ISOLATION-STAGE-2 (2 references)
>>
>> Where do these chains/policies come from? Is it also an iptables
>> firewall or is it using ufw?
>>
>> Why wouldn't it use firewall-cmd? Isn't that the default desktop
>> firewall app now for fedora?
>
> The docker doesn't play well with ufw or firewalld, in my experience.
> It customizes rules directly, which makes it difficult to control with
> publicly available networks. The simplest way to do firewall
> customization is to turn off firewall customization in the docker and
> do it manually.
>
> Firstly, update docker.service to include the following option
> (--iptables=false):
>
> /etc/systemd/system/docker.service.d/override.conf
> [Service]
> ExecStart=
> ExecStart=/usr/bin/dockerd -H fd://
> --containerd=/run/containerd/containerd.sock
> --iptables=false
>
> Restart the Docker service and verify the existence of the Docker zone
> if using firewalld:
>
> docker (active)
> target: ACCEPT
> icmp-block-inversion: no
> interfaces: br-custom1 br-custom2 docker0
> sources:
> services:
> ports:
> protocols:
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> Add the available docker bridge interfaces (br-custom* and docker0) to
> the docker zone. Check if the target zone is ACCEPT instead of default.
>
> I hope that helps.
>
>
You could always switch to using Podman, which will not open the port on
the host by default.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
