A Note about using UFW with Docker

Posted on Sun 06 August 2017 in Linux

UFW is a great program. It allows easy configuration of a powerful firewall, without the need to learn IPTables and the large amount of networking knowledge that goes with it.
However, when used with Docker, there is something you need to be aware of - UFW lies!

Although UFW makes changes to IPTables, it does not read back the same route tables it modifies. This means that a program that works directly with IPTables, such as Docker, could make rules that go against what you are trying to do with UFW.

For example, let's take a standard web server configuration: allow traffic on ports 22, 80 and 443. The output of UFW is as follows:

adam@ExampleHost:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  
80/tcp                     ALLOW IN    Anywhere 

Now let's load up a Docker container that exposes port 8765 to the outside world:

adam@ExampleHost:~$ docker ps
CONTAINER ID        IMAGE                   COMMAND        CREATED             STATUS          PORTS                     NAMES
f9955df5766f        example/example         "/bin/sh"      3 minutes ago       Up 1 hours>9000/tcp    ExampleProgram

Now …

Continue reading