Differences

This shows you the differences between two versions of the page.

--- networking:firewall:ufw [2022/07/28 12:23]
gcooper
+++ networking:firewall:ufw [2022/07/28 13:43]
gcooper
@@ Line 24: / Line 24: @@
 ===== Custom Rules =====
-FIXME This needs further confirmation.  Consider this a starting point.
+FIXME This needs further confirmation.  **Consider this a starting point.**
-This **example** is for filtering **external access to ports published (opened) by Docker**.  Docker published ports are **globally accessible** and this is **not limited by normal filtering rules**.
+<note warning>This **example** is for filtering (further restricting) **external access to ports published (opened externally) by Docker**.  Consider this a firewall in front of the Docker firewall.  **Once you start with this, you will need to maintain it to control access to all your Docker apps.**</note>
+<note important>Docker published ports are **globally accessible** and this is **not limited by normal filtering rules**.  This is probably unwanted in some cases such as **admin URLs** to web apps running under Docker.</note>
 <file>
@@ Line 56: / Line 58: @@
 -A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-USER -i eth0 -m conntrack --ctstate INVALID -j DROP
--A DOCKER-USER -i eth0 --match multiport -p tcp --dports 80,81,443,9443 -j ACCEPT
+-A DOCKER-USER -i eth0 --match multiport -p tcp --dports 80,443,22115:22119 -j ACCEPT
+-A DOCKER-USER -i eth0 --match multiport -p udp --dports 22116 -j ACCEPT
+-A DOCKER-USER -i eth0 --match multiport -p tcp --dports 81,9443 --source 192.168.1.0/24,10.0.0.0/24 -j ACCEPT
 -A DOCKER-USER -i eth0 -m conntrack --ctstate NEW -j LOG --log-prefix "DOCKER-USER_DROP "
 -A DOCKER-USER -i eth0 -m conntrack --ctstate NEW -j DROP

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools