zlacker

[return to "A story on home server security"]
1. smarx0+P4[view] [source] 2025-01-05 13:38:36
>>todsac+(OP)
Docker has a known security issue with port exposure in that it punches holes through the firewall without asking your permission, see https://github.com/moby/moby/issues/4737

I usually expose ports like `127.0.0.1:1234:1234` instead of `1234:1234`. As far as I understand, it still punches holes this way but to access the container, an attacker would need to get a packet routed to the host with a spoofed IP SRC set to `127.0.0.1`. All other solutions that are better seem to be much more involved.

◧◩
2. globul+V5[view] [source] 2025-01-05 13:53:07
>>smarx0+P4
This is only an issue if you run Docker on your firewall, which you absolutely should not.
◧◩◪
3. Volund+Ok[view] [source] 2025-01-05 16:05:15
>>globul+V5
Do you not run firewalls on your internal facing machines to make sure they only have the correct ports exposed?

Security isn't just an at the edge thing.

◧◩◪◨
4. globul+qS1[view] [source] 2025-01-06 07:47:53
>>Volund+Ok
No. That would be incredibly annoying and it's probably why docker overrides it as it would cause all manner of confusion.
◧◩◪◨⬒
5. Volund+lv2[view] [source] 2025-01-06 14:50:26
>>globul+qS1
You really, really should. Just because someone is inside your network is no reason to just give them the keys to the kingdom.

And I don't see any reason why having to allow a postgres or apache or whatever run through docker through your firewall any more confusing than allowing them through your firewall installed via APT. It's mor confusing that the firewall DOESN'T protect docker services like everything else.

[go to top]