zlacker

[return to "A story on home server security"]
1. smarx0+P4[view] [source] 2025-01-05 13:38:36
>>todsac+(OP)
Docker has a known security issue with port exposure in that it punches holes through the firewall without asking your permission, see https://github.com/moby/moby/issues/4737

I usually expose ports like `127.0.0.1:1234:1234` instead of `1234:1234`. As far as I understand, it still punches holes this way but to access the container, an attacker would need to get a packet routed to the host with a spoofed IP SRC set to `127.0.0.1`. All other solutions that are better seem to be much more involved.

◧◩
2. joseph+kD[view] [source] 2025-01-05 18:29:14
>>smarx0+P4
It only exposes ports if you pass the command-line flag that says to do so. How is that "without asking your permission"?
◧◩◪
3. dizhn+V44[view] [source] 2025-01-06 22:57:34
>>joseph+kD
It should have the proxy set up but leave opening the port to the user.

No other sever software that I know of touches the firewall to make its own services accessible. Though I am aware that the word being used is "expose". I personally only have private IPs on my docker hosts when I can and access them with wireguard.

[go to top]