Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added jump to ufw-before-forward rule #39

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

vitalyrepin
Copy link

This chain chall be executed prior to ufw-user-forward to avoid accepting packets
in the ufw-user-forward before they are checked (and possibly dropped) in ufw-before-forward

This chain chall be executed prior to ufw-user-forward to avoid accepting packets
in the ufw-user-forward before they are checked (and possibly dropped) in ufw-before-forward
@chaifeng
Copy link
Owner

chaifeng commented Apr 2, 2021

Hi @vitalyrepin

Thanks for your pull request. I'm sorry for the late response.

I've considered using ufw-before-forward instead of ufw-user-forward. Because the first rule of ufw-before-forward is jumping to ufw-user-forward. So it makes sense to use ufw-before-forward.

But I have a concern. From the UFW manual pages, we know that we can customize iptables rules inside the chain ufw-before-forward. We must take these rules seriously. Otherwise, they may have a bad impact on Docker.

Just using ufw-user-forward can reduce this kind of risk. Because the rules inside this user chain are managed by ufw command. People can use ufw status to review these rules easily. You know, some people are not familiar with iptables command.

So I'm thinking about avoiding people make unintentional mistakes to make Docker not work. They know what they are doing for advanced users, using the ufw-before-forward chain can take some benefits.

What are your thoughts? Thank you.

@zhen-huan-hu
Copy link

Sorry for the late comment.

If someone customizes ufw-before-forward, he/she should already know the risk of messing up with iptables. On the other hand, by appending ufw-user-forward in DOCKER-USER without any match specifically for Docker interfaces, ufw-user-forward is put ahead of ufw-before-forward which in itself could have unwanted consequences.

What are your thoughts on appending ufw-user-forward with -o docker0 and -o br-+; and also copying default rules from ufw-before-forward (so that even if someone customizes ufw-before-forward it won't affect the DOCKER-USER chain)?

Something like the following (I removed some default ICMP rules from ufw-before-forward as they appear redundant with -m conntrack --ctstate RELATED,ESTABLISHED)

*filter
:ufw-user-forward - [0:0]
:ufw-docker-forward - [0:0]
:DOCKER-USER - [0:0]

-A DOCKER-USER ! -i docker0 -o docker0 -j ufw-docker-forward
-A DOCKER-USER ! -i br-+ -o br-+ -j ufw-docker-forward
-A DOCKER-USER -j RETURN

-A ufw-docker-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-docker-forward -p icmp -m icmp --icmp-type echo-request -j ACCEPT 
-A ufw-docker-forward -j ufw-user-forward
-A ufw-docker-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-forward -j DROP

COMMIT

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants