Where do I start.
# install
Where do I start.
Well, do test the quick install if it really works as intended.
Next, why is caddy running in host mode https://github.com/gravitl/netmaker/blob/master/compose/docker-compose.yml#L68 while the caddy is using hostnames https://github.com/gravitl/netmaker/blob/master/docker/Caddyfile which are only available in dockers own networks?
All other containers are created with their own network due to compose, yet caddy is in the hostnetwork. Which won't work, unless you create a network and assign it to the containers and the caddy container.
Also generally speaking, unless things changed, ufw is kinda useless on the docker host. Reason being in how the firewall is managed by docker and where the rules land.
Since when docker is "publishing" ports, it lands on the forward filer, which bypasses the input filter.
we need to update the default docker-compose on the github. The default is actually https://github.com/gravitl/netmaker/blob/master/compose/docker-compose.contained.yml, which does not expose caddy with host networking.
docker-compose.yml should match exactly docker-compose.contained.yml, but appears it does not
Or update the docs.
So, unless the rules land in the
tables with
-t mangle -A PREROUTING
, you can forget firewall security with docker.
docs have been updated, and I've created an issue to update the docker-compose.yml in the next release
But that is only my experience, do test it out yourself.
Your assessment is correct. We updated caddy configuration to avoid host networking, and just did not update all the docker-compose files equally
Nah, talking about the firewall and docker iptables.
The first part is just a minor documentation problem.
what issue are you encountering with iptables?
I am implying that the ufw rules will only protect against people trying to access ports without any extra work.
But due to how docker does it's iptables configuration, if you change the routing on your system to use the docker host and iterate over the internal ips, you will be able to access the published ports that would otherwise be protected by the INPUT filter.
see ^
So what I am implying is: I hope you have no internal ports that would chat or publish information without authentication, assuming they are protected by the system firewall.
When using docker, that is.
And not having a dedicated firewall in front of the system.