Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make Docker play nicely with UFW on Ubuntu #1251

Closed
ndarilek opened this Issue Jul 20, 2013 · 10 comments

Comments

Projects
None yet
8 participants
@ndarilek
Copy link
Contributor

ndarilek commented Jul 20, 2013

UFW is Ubuntu's Uncomplicated FireWall. It lets you easily set up block/allow rules with a single command.

Unfortunately, it doesn't play nicely with Docker because they both configure IPTables. A container with ip_forward set to 1 cannot communicate outside of itself, but running:

ufw disable

brings down the firewall and everything starts working fine.

I'm fairly sure it is possible for packages to add UFW configuration such that their own behaviors can be supported, but I'm not immediately sure how. This may be the cause of various network issues under Ubuntu, so making Docker play nicely with UFW might resolve a number of issues for folks.

@ghost ghost assigned vieux Jul 24, 2013

@vieux

This comment has been minimized.

Copy link
Collaborator

vieux commented Jul 26, 2013

Hi,

When you turn UFW on, it uses a default set of rules (profile) that
should be fine for the average home user.
That's at least the goal of the Ubuntu developers. In short, all 'incoming'
is being denied, with some exceptions to
make things easier for home users.

Maybe one day, Docker will be part of the exceptions 😃

I'm not sure that adding a rule to ufw in our package is the right thing to do (for security reasons).
I think if you want to enable ufw, you have to add the right rules for docker:

sudo ufw allow 4243/tcp

What do you think @shykes @samalba ?

@shykes

This comment has been minimized.

Copy link
Collaborator

shykes commented Jul 26, 2013

Does ufw also deny connections to 127.0.0.1:4243 ?

On Fri, Jul 26, 2013 at 9:30 AM, Victor Vieux notifications@github.comwrote:

Hi,

When you turn UFW on, it uses a default set of rules (profile) that
should be fine for the average home user.
That's at least the goal of the Ubuntu developers. In short, all 'incoming'
is being denied, with some exceptions to
make things easier for home users.

Maybe one day, Docker will be part of the exceptions [image: 😃]

I'm not sure that adding a rule to ufw in our package is the right thing
to do (for security reasons).
I think if you want to enable ufw, you have to add the right rules for
docker:

sudo ufw allow 4243/tcp

What do you think @shykes https://github.com/shykes @samalbahttps://github.com/samalba?


Reply to this email directly or view it on GitHubhttps://github.com//issues/1251#issuecomment-21631993
.

@ndarilek

This comment has been minimized.

Copy link
Contributor Author

ndarilek commented Jul 26, 2013

IIRC it only blocks external connections to 4243 by default. Everything
works fine for me until I'm in a container and attempt to connect out,
at which point I can't ping any IP even with ip_forwarding set to 1.
Would a blocked connection to 4243 cause that?

@vieux

This comment has been minimized.

Copy link
Collaborator

vieux commented Jul 29, 2013

@ndarilek it's because docker uses a bridge and ufw's default forward policy is to DROP, a quick fix is to ALLOW forwarding:

sudo nano /etc/default/ufw
----
# Change:
# DEFAULT_FORWARD_POLICY="DROP"
# to
DEFAULT_FORWARD_POLICY="ACCEPT"
@ndarilek

This comment has been minimized.

Copy link
Contributor Author

ndarilek commented Jul 30, 2013

Yes, this works for me. Thanks.

@vieux vieux referenced this issue Jul 30, 2013

Merged

Add ufw doc #1343

@joevandyk

This comment has been minimized.

Copy link
Contributor

joevandyk commented Aug 7, 2013

For what it's worth, I haven't touched ufw at all with Ubuntu 12.04, and everything seems to be working fine.

@vieux

This comment has been minimized.

Copy link
Collaborator

vieux commented Aug 8, 2013

I'm not sure ufw is enable by default.

On Wed, Aug 7, 2013 at 11:42 PM, Joe Van Dyk notifications@github.comwrote:

For what it's worth, I haven't touched ufw at all with Ubuntu 12.04, and
everything seems to be working fine.


Reply to this email directly or view it on GitHubhttps://github.com//issues/1251#issuecomment-22286603
.

Victor VIEUX
http://vvieux.com

@crosbymichael

This comment has been minimized.

Copy link
Member

crosbymichael commented Aug 12, 2013

Closing because the documentation updates have been merged.

@honi

This comment has been minimized.

Copy link

honi commented Aug 7, 2014

What about using ufw to limit access to an exposed port from a docker container?
Say I have a redis container exposed through the host, and I want to deny all traffic except if it comes from a specific IP.

$ docker run -d -p <HostIP>:6379:6379 redis
$ ufw allow from <OtherHostIP> to <HostIP> port 6379
$ ufw deny to <HostIP>

This does not work for me. I can connect from any host to the redis container. Maybe my configuration is wrong. Any help is welcomed!

I think my problem is described in #4737.

@funkyfuture

This comment has been minimized.

Copy link

funkyfuture commented Mar 4, 2018

related and seemingly the current issue to track this: #4737

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.