zlacker

>>todsac+(OP)
Docker has a known security issue with port exposure in that it punches holes through the firewall without asking your permission, see https://github.com/moby/moby/issues/4737

I usually expose ports like `127.0.0.1:1234:1234` instead of `1234:1234`. As far as I understand, it still punches holes this way but to access the container, an attacker would need to get a packet routed to the host with a spoofed IP SRC set to `127.0.0.1`. All other solutions that are better seem to be much more involved.

>>smarx0+P4
securing is straightforward, too bad it's not by default: https://docs.docker.com/engine/network/packet-filtering-fire...

>>adrian+qs
Do I understand the bottom two sections correctly? If I am using ufw as a frontend, I need to switch to firewalld instead and modify the 'docker-forwarding' policy to only forward to the 'docker' zone from loopback interfaces? Would be good if the page described how to do it, esp. for users who are migrating from ufw.

More confusingly, firewalld has a different feature to address the core problem [1] but the page you linked does not mention 'StrictForwardPorts' and the page I linked does not mention the 'docker-forwarding' policy.

[1]: https://firewalld.org/2024/11/strict-forward-ports

>>smarx0+7u
I'm not sure about ufw/firewalld. Maybe docs aren't clear there either

I configured iptables and had no trouble blocking WAN access to docker...

In addition to that there's the default host in daemon.json plus specifying bindings to local host directly in compose / manually.