Comments (9)
I have a reverse proxy based on NPM. Port 80 and 443 are used for accessing the server. Port 81 is used for the management console. so I need -p 80:80 443:443 81:81
to get all functionalities enabled. UFW-Docker does not affect the local IP adresses 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. If I set UFW_MANAGED=TRUE
ufw will open also Port 81 with the same rules as for 80 and 443. The management interface will also opened to the WAN www. But I only want to allow port 80 and 443 to be opened to the outside world.
I hope this explanation makes it more understandable? Sorry, I am not a native speaker.
from ufw-docker-automated.
Hi. I think you can achieve the same result with only selecting the necessary ports with -p
flag. For example if container uses 2 different ports 80
and 81
and you want to expose only port 80, you could do docker run -d -p 80:80 -l UFW_MANAGED=TRUE nginx:alpine
. Port 81 will stay closed on the firewall.
from ufw-docker-automated.
Yes, but with this approach nobody can access Port 81. I want to connect to port 81 from another subnet (so port 80 / 443 from WAN and 81 from LAN). But enabling / disabling the port could be a workaround.
from ufw-docker-automated.
I don't get the idea. Can you give an example?
from ufw-docker-automated.
Hmm. In that case -l UFW_ALLOW_FROM=192.168.3.0/24-LAN;10.10.0.50/32-WAN
work for you? You can whitelist the IP addresses in the UFW_ALLOW_FROM
label. So you can filter out.
from ufw-docker-automated.
unfortunately not, because this will open all three ports into both networks. Something like: -l UFW_ALLOW_FROM=192.168.3.0/24:80-81,443-LAN;ANY:80,443-WAN
would be a solution.
from ufw-docker-automated.
Ah I see. So current implementation is like all in or nothing and tightly coupled with all published ports. But you want to define different source IPs like, for example different -p
ports can be matched with different UFW_ALLOW_FROM
label?
Example:
Container publishes 3 different ports. 80, 443, 8080.
Current implementation: Opens 80, 443, 8080 all at once from single UFW_ALLOW_FROM label.
Wanted implementation: Opens 80, 443 maybe from 0.0.0.0/0, but 8080 from different UFW_ALLOW_FROM label.
Did I understand you correctly this time?
So essentially UFW_ALLOW_FROM per published port. 1:1 match needed, not 1:1+
from ufw-docker-automated.
yes perfect. That's what I need 👍
from ufw-docker-automated.
This is now implemented. Now you can do something like this:
# Allow from certain IP address, CIDR ranges to different Port + comments
➜ docker run -d -p 8088:88 -p 8089:89 -p 8090:90 -l UFW_MANAGED=TRUE -l UFW_ALLOW_FROM="0.0.0.0/0-88-Internet;192.168.3.0/24-89-LAN;10.10.0.50-90" nginx:alpine
# Results
➜ sudo ufw status
Status: active
172.17.0.6 88/tcp ALLOW FWD Anywhere # awesome_leavitt:6ebdb0c87a56 Internet
172.17.0.6 89/tcp ALLOW FWD 192.168.3.0/24 # awesome_leavitt:6ebdb0c87a56 LAN
172.17.0.6 90/tcp ALLOW FWD 10.10.0.50 # awesome_leavitt:6ebdb0c87a56
Port 88 is open to internet, but 89, 90 are network specific.
from ufw-docker-automated.
Related Issues (20)
- Implement log level
- Avoid duplicate rules HOT 10
- persistent storage HOT 1
- Potential race condition on host startup HOT 1
- Does not run on a Raspberry Pi @ Debian HOT 3
- Docker swarm mode support HOT 1
- UFW init error bad argument filter HOT 1
- When container has multiple networks, it only creates one network rules HOT 5
- ERROR: 'route delete NUM' unsupported. Use 'delete NUM' instead. HOT 8
- support Debian 11 / Ubuntu 22 HOT 1
- automated rules removed and not properly added back on docker service restart HOT 10
- Ubuntu 22.04 with crowdsec firewall bouncer does not add any docker rules. HOT 12
- docker-compose.yml for mempool HOT 1
- UFW Rule for network interface name
- Segmentation fault
- Systemd ufw-docker-automated.service exit 0 HOT 2
- Can this automate ufw limits?
- Publish a new release with latest changes
- Couldn't detect the container IP address. HOT 3
- Double rules in ufw after server restart
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ufw-docker-automated.