4

My services were filtered correctly after migrating from iptables to firewalld and updating the rules with firewall-cmd. Then I moved all services to containers using Docker, and ran everything with docker-compose.

My default zone is 'public'. I have manually added docker0, my external (Ethernet) interface, and the interface the Docker containers seem to talk to the outside world with (br-304604a31e79) to the 'public' zone. I have run the commands to move the interfaces into the 'public' zone both with and without the --permanent flag.

When I use nmap to scan my server, the services running in the Docker containers are still accessible (are still 'open', instead of 'filtered').

Why isn't firewalld filtering the services running in my Docker containers?

HorseHair
  • 317
  • 4
  • 11
  • While this needs an answer re firewalld, you should be aware that Docker does its own firewalling and only ports that you explicitly exposed when configuring your containers will be open in the firewall. If unexpected ports show up, it's almost always because you exposed something you should not have done. – Michael Hampton Dec 22 '18 at 22:29
  • @MichaelHampton - they need to be exposed to each other (several containers being brought up with docker-compose), but not the outside world. Regardless, I think firewalld should be filtering these... – HorseHair Dec 22 '18 at 23:00
  • Only the ports exposed to the outside world need to be set in docker-compose.yml. The containers you define can always communicate with each other. – Michael Hampton Dec 23 '18 at 14:09
  • @MichaelHampton - it's not a direct solution to the firewalld/docker issue, but man, did your comment sure help. Would you add it here as an answer so I can accept it? – HorseHair Dec 23 '18 at 17:04
  • You do not need to expose the ports of a service in a Docker compose file in order to enable the different services to communicate with each other. Docker networking takes care of this. Say you have services named mysql and web. On web, you can call “db:3306” without exposing 3306 in the db service. Only ports which need to be accessible for the outside world should be exposed. – Markus W Mahlberg Dec 26 '18 at 11:23

1 Answers1

5

Docker does its own firewalling and only ports that you explicitly exposed when configuring your containers will be open in the firewall. Only the ports exposed to the outside world need to be set in docker-compose.yml. The containers you define can always communicate with each other.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940