zlacker

[return to "A story on home server security"]
1. smarx0+P4[view] [source] 2025-01-05 13:38:36
>>todsac+(OP)
Docker has a known security issue with port exposure in that it punches holes through the firewall without asking your permission, see https://github.com/moby/moby/issues/4737

I usually expose ports like `127.0.0.1:1234:1234` instead of `1234:1234`. As far as I understand, it still punches holes this way but to access the container, an attacker would need to get a packet routed to the host with a spoofed IP SRC set to `127.0.0.1`. All other solutions that are better seem to be much more involved.

◧◩
2. globul+V5[view] [source] 2025-01-05 13:53:07
>>smarx0+P4
This is only an issue if you run Docker on your firewall, which you absolutely should not.
◧◩◪
3. Volund+Ok[view] [source] 2025-01-05 16:05:15
>>globul+V5
Do you not run firewalls on your internal facing machines to make sure they only have the correct ports exposed?

Security isn't just an at the edge thing.

◧◩◪◨
4. globul+qS1[view] [source] 2025-01-06 07:47:53
>>Volund+Ok
No. That would be incredibly annoying and it's probably why docker overrides it as it would cause all manner of confusion.
[go to top]