Well, do test the quick install if it really works as intended.

Next, why is caddy running in host mode https://github.com/gravitl/netmaker/blob/master/compose/docker-compose.yml#L68 while the caddy is using hostnames https://github.com/gravitl/netmaker/blob/master/docker/Caddyfile which are only available in dockers own networks?

All other containers are created with their own network due to compose, yet caddy is in the hostnetwork. Which won't work, unless you create a network and assign it to the containers and the caddy container.

Also generally speaking, unless things changed, ufw is kinda useless on the docker host. Reason being in how the firewall is managed by docker and where the rules land.

Since when docker is "publishing" ports, it lands on the forward filer, which bypasses the input filter.

docker-compose.yml should match exactly docker-compose.contained.yml, but appears it does not

iirc this should still work https://github.com/moby/moby/issues/22054#issuecomment-962202433

So, unless the rules land in the

mangle

tables with

-t mangle -A PREROUTING

, you can forget firewall security with docker.

The first part is just a minor documentation problem.

But due to how docker does it's iptables configuration, if you change the routing on your system to use the docker host and iterate over the internal ips, you will be able to access the published ports that would otherwise be protected by the INPUT filter.

see ^

So what I am implying is: I hope you have no internal ports that would chat or publish information without authentication, assuming they are protected by the system firewall.

When using docker, that is.

And not having a dedicated firewall in front of the system.