Feature Request: integrate ports in ruleset about ufw-docker-automated HOT 9 CLOSED

I have a reverse proxy based on NPM. Port 80 and 443 are used for accessing the server. Port 81 is used for the management console. so I need -p 80:80 443:443 81:81 to get all functionalities enabled. UFW-Docker does not affect the local IP adresses 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. If I set UFW_MANAGED=TRUE ufw will open also Port 81 with the same rules as for 80 and 443. The management interface will also opened to the WAN www. But I only want to allow port 80 and 443 to be opened to the outside world.

I hope this explanation makes it more understandable? Sorry, I am not a native speaker.

from ufw-docker-automated.

Hi. I think you can achieve the same result with only selecting the necessary ports with -p flag. For example if container uses 2 different ports 80 and 81 and you want to expose only port 80, you could do docker run -d -p 80:80 -l UFW_MANAGED=TRUE nginx:alpine. Port 81 will stay closed on the firewall.

from ufw-docker-automated.

Yes, but with this approach nobody can access Port 81. I want to connect to port 81 from another subnet (so port 80 / 443 from WAN and 81 from LAN). But enabling / disabling the port could be a workaround.

from ufw-docker-automated.

I don't get the idea. Can you give an example?

from ufw-docker-automated.

Hmm. In that case -l UFW_ALLOW_FROM=192.168.3.0/24-LAN;10.10.0.50/32-WAN work for you? You can whitelist the IP addresses in the UFW_ALLOW_FROM label. So you can filter out.

from ufw-docker-automated.

unfortunately not, because this will open all three ports into both networks. Something like: -l UFW_ALLOW_FROM=192.168.3.0/24:80-81,443-LAN;ANY:80,443-WAN would be a solution.

from ufw-docker-automated.

Ah I see. So current implementation is like all in or nothing and tightly coupled with all published ports. But you want to define different source IPs like, for example different -p ports can be matched with different UFW_ALLOW_FROM label?

Example:

Container publishes 3 different ports. 80, 443, 8080.

Current implementation: Opens 80, 443, 8080 all at once from single UFW_ALLOW_FROM label.
Wanted implementation: Opens 80, 443 maybe from 0.0.0.0/0, but 8080 from different UFW_ALLOW_FROM label.

Did I understand you correctly this time?

So essentially UFW_ALLOW_FROM per published port. 1:1 match needed, not 1:1+

from ufw-docker-automated.

yes perfect. That's what I need 👍

from ufw-docker-automated.

This is now implemented. Now you can do something like this:

# Allow from certain IP address, CIDR ranges to different Port + comments
➜ docker run -d -p 8088:88 -p 8089:89 -p 8090:90 -l UFW_MANAGED=TRUE -l UFW_ALLOW_FROM="0.0.0.0/0-88-Internet;192.168.3.0/24-89-LAN;10.10.0.50-90" nginx:alpine

# Results
➜ sudo ufw status
Status: active

172.17.0.6 88/tcp          ALLOW FWD   Anywhere                   # awesome_leavitt:6ebdb0c87a56 Internet
172.17.0.6 89/tcp          ALLOW FWD   192.168.3.0/24             # awesome_leavitt:6ebdb0c87a56 LAN
172.17.0.6 90/tcp          ALLOW FWD   10.10.0.50                 # awesome_leavitt:6ebdb0c87a56

Port 88 is open to internet, but 89, 90 are network specific.

from ufw-docker-automated.