PSA: Docker nukes your firewall rules and replaces them with its own. - eviltoast

I use nftables to set my firewall rules. I typically manually configure the rules myself. Recently, I just happened to dump the ruleset, and, much to my surprise, my config was gone, and it was replaced with an enourmous amount of extremely cryptic firewall rules. After a quick examination of the rules, I found that it was Docker that had modified them. And after some brief research, I found a number of open issues, just like this one, of people complaining about this behaviour. I think it’s an enourmous security risk to have Docker silently do this by default.

I have heard that Podman doesn’t suffer from this issue, as it is daemonless. If that is true, I will certainly be switching from Docker to Podman.

  • Kalcifer@sh.itjust.worksOP
    link
    fedilink
    English
    arrow-up
    14
    arrow-down
    3
    ·
    10 months ago

    How come I don’t see my previous rules when I dump the ruleset, then? I have my rules written in /etc/nftables.conf, and they were previously applied by running # nft -f /etc/nftables.conf. Now, when I dump the current ruleset with # nft list ruleset, those previous rules aren’t there — all I see are Docker’s rules.

    • gorgori@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      9 months ago

      You can use a bridge network or the host network.

      In bridge network it is like a NAT host. With its own firewall settings.

      In host network mode, it will just open the port it needs.

      • Kalcifer@sh.itjust.worksOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        I could be misunderstanding your comment, but you don’t seem to have answered my question of why I don’t see my rules anymore.