PSA: Docker nukes your firewall rules and replaces them with its own.
from Kalcifer@sh.itjust.works to selfhosted@lemmy.world on 11 Mar 2024 05:48
https://sh.itjust.works/post/16040192
from Kalcifer@sh.itjust.works to selfhosted@lemmy.world on 11 Mar 2024 05:48
https://sh.itjust.works/post/16040192
I use nftables to set my firewall rules. I typically manually configure the rules myself. Recently, I just happened to dump the ruleset, and, much to my surprise, my config was gone, and it was replaced with an enourmous amount of extremely cryptic firewall rules. After a quick examination of the rules, I found that it was Docker that had modified them. And after some brief research, I found a number of open issues, just like this one, of people complaining about this behaviour. I think it’s an enourmous security risk to have Docker silently do this by default.
I have heard that Podman doesn’t suffer from this issue, as it is daemonless. If that is true, I will certainly be switching from Docker to Podman.
threaded - newest
Docker will set the default behavior of FORWARD chain to DROP, and then this make the home network of my friend off from the internet completely…
docs.docker.com/…/packet-filtering-firewalls/#doc…