Docker docs:

Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.

  • qaz@lemmy.worldOPEnglish
    16·
    2 months ago

    ufw just manages iptables rules, if docker overrides those it’s on them IMO

    • jwt@programming.dev
      7·
      2 months ago

      Feels weird that an application is allowed to override iptables though. I get that when it’s installed with root everything’s off the table, but still…

    • null_dot@lemmy.dbzer0.comEnglish
      5·
      2 months ago

      Not really.

      Both docker and ufw edit iptables rules.

      If you instruct docker to expose a port, it will do so.

      If you instruct ufw to block a port, it will only do so if you haven’t explicitly exposed that port in docker.

      Its a common gotcha but it’s not really a shortcoming of docker.

    • pressanykeynow@lemmy.world
      1·
      2 months ago

      iptables is deprecated for like a decade now, the fact that both still use it might be the source of the problem here.