Docker support

[getup]

Will ConfigServer Firewall support Docker hosts in the future? We'd like to firewall the hosts Docker runs on and it would be cool if this is possible from within CSF.

[ForumAdmin]

If you can confirm that the configuration in this post works:
viewtopic.php?t=8793#p25123
We can look into adding support for it.

[getup]

I'm afraid it doesn't. We lose all connectivity once Docker restarts. The only solution we have is to restart Docker when that happens.

[getup]

I finally got around writing up a working set of firewall rules in combination with CSF. We have bundled it with our CSF Puppet module that is available on GitHub and the Puppet Forge. The script itself can be found here:

https://github.com/sensson/puppet-csf/b ... _docker.sh

By default it does not allow incoming traffic to containers.

We have implemented it ourselves by sourcing the script into csfpost.sh. The following is a working example that you could use in a Docker Compose setup in case you want to allow traffic to the nginx-proxy.

Code: Select all

#!/bin/sh
. /etc/csf/docker.sh
open_port nginx-proxy 80 80 (optional source cidr: 192.168.1.0/24) (optional network name: data_network)

If you don't use open_port it would only allow traffic from the host and between containers.

[getup]

One thing I forgot to add is that you need to disable Docker's interference with iptables. If you leave it on Docker will add rules for you.

On CentOS this would be in /etc/sysconfig/docker:

Code: Select all

OPTIONS=" -H unix:///var/run/docker.sock --ip-forward=true --iptables=false --ip-masq=true"