zlacker

[return to "A story on home server security"]
1. smarx0+P4[view] [source] 2025-01-05 13:38:36
>>todsac+(OP)
Docker has a known security issue with port exposure in that it punches holes through the firewall without asking your permission, see https://github.com/moby/moby/issues/4737

I usually expose ports like `127.0.0.1:1234:1234` instead of `1234:1234`. As far as I understand, it still punches holes this way but to access the container, an attacker would need to get a packet routed to the host with a spoofed IP SRC set to `127.0.0.1`. All other solutions that are better seem to be much more involved.

◧◩
2. aaomid+z7[view] [source] 2025-01-05 14:14:35
>>smarx0+P4
Tbh I prefer not exposing any ports directly, and then throwing Tailscale on the network used by docker. This automatically protects everything behind a private network too.
◧◩◪
3. bakugo+5u[view] [source] 2025-01-05 17:18:43
>>aaomid+z7
Important to note that, even if you use Tailscale, the firewall punching happens regardless, so you still have to make sure you either:

1. Have some external firewall outside of the Docker host blocking the port

2. Explicitly tell Docker to bind to the Tailscale IP only

◧◩◪◨
4. aaomid+vK[view] [source] 2025-01-05 19:23:59
>>bakugo+5u
> the firewall punching happens regardless

Does it? I think it only happens if you specifically enumerate the ports. You do not need to enumerate the ports at all if you're using Tailscale as a container.

◧◩◪◨⬒
5. bakugo+jN[view] [source] 2025-01-05 19:47:26
>>aaomid+vK
Oh, I didn't realize you meant running Tailscale in docker, my bad. Then yeah, that's safe.
[go to top]