FirewallD doesn't go well with Docker #461
I am an avid user of CentOS which ships firewalld since long.
So I've been using Docker fairly recently and yesterday I noticed firewalld rules are completely ignored by docker/docker containers. I found this funny cause on your Home page you read:
So basically I was setting up a server whose sole purpose is to run docker containers.
So then I went to testing, and I connected just fine. But then I logged in to another remote server, and I accessed the same when I totally should not.
These are outputs of my firewalld:
Also, I asked a friend to test using netcat, from yet another random location, and he manages to connect too...
FirewallD doesn't play nice with Docker (or vice-versa)
Meanwhile I came across the fact that FirewallD and Docker do not play along.
As it says from the very first stance:
Which wouldn't be my first resort as adviced against.
So I don't get how we go from this to firewalld friendly, but I would enjoy learning.
But as firewalld gets more and more audience, I think it would be useful if someone:
a) fix where it says firewalld works with docker...
IIRC, in the case of docker this means docker will see that firewalld is in use and add it's rules through firewalld's direct interface. It's not full support, but it is some support.
This can be done already.
I'm not sure what you're looking for. "play nice with docker" is a very vague request - especially as some level of "playing" already exists.
I'm not sure what @maverick85 means by "play nice with docker", but for me that means that traffic to the ports that are published by docker are subject to the same filtering rules as if a service was running on a port without the docker isolation.
For example, suppose I only enable the https service in firewalld for the work zone. If I run a "native" webserver on 443, connections not associated with the work zone would be denied. However, as it stands now, if I run a webserver in docker, with -p 443:8443 to set up the port forwarding, any connection will be allowed. What I would like to happen is that only connection that would have been associated with the work zone be allowed.
From @erig0's comment and others on the Internet, it seems there is a work-around by setting up rules in the DOCKER-USER chain, but a major downside to me, is that firewalld's concept of zones is not available in the DOCKER-USER chain.
On a freshly installed CentOS 7 system with firewalld and docker from system repositories, and my expectation is that the firewall rules from the public zone which are locked down by default have exactly the same effect on ports opened and forwarded from Docker containers, but with great (and unpleasant) surprise I have found out that my Jenkins instance running inside a Docker container is public instead, and now I know why.
Is there a cleaner way to solve this problem with making zone settings apply to Docker or the only way is to hack around with