Open mawilmsen opened 3 years ago
arnova
commented
3 years ago Dear Marc,
Thanks for the suggestion. The problem is that this is not trivial to implement and I think there will be stuff that simply doesn't work with Docker. Furthermore none of the main developers have any environment (nor the time) available to implement this at the moment. We'll keep this ticket open for other people but I don't think this will ever be implemented by us.
emu42
commented
2 years ago Hello,
so I am facing this issue on a machine that is now meant to host Docker containers. And even though I have been using Arno's firewall for years and really enjoyed it, I might have to migrate to firewalld or something else. But before I do that, I wanted to ask whether there has been any progress on this topic. I would rather stay with a proven and trusted tool, but I also need those containers to work properly. Any suggestions?
arnova
commented
2 years ago Hello,
so I am facing this issue on a machine that is now meant to host Docker containers. And even though I have been using Arno's firewall for years and really enjoyed it, I might have to migrate to firewalld or something else. But before I do that, I wanted to ask whether there has been any progress on this topic. I would rather stay with a proven and trusted tool, but I also need those containers to work properly. Any suggestions?
Unfortunately still the same thing applies: It won't be implemented anytime soon (by us).
First of all I would like to express my gratitude and respect: I have been using this fantastic tool reliably for many years and I am very happy using it on conventional setups.
A big fraction of my recent deployments however switched to container-based deployments managed by docker. Docker creates its own iptables rules to route and isolate the traffic to and from the containers and their individual networks. I am not an iptables expert, but what I know is that docker manages to bypass all rules from arno-iptables-firewall (or other iptables bases linux firewalls). This is very unfortunate, since all these useful rules you provide have simply no effect, no can I even open or close a port any longer using arno-iptables-firewall.
The idea of the docker guys is to put all custom rules into a chain DOCKER-USER, which get applied before any of the custom docker rules (https://docs.docker.com/network/iptables/). However I have no clue if this currntly can be done using arno-iptables-firewall in a secure way, nor do I have the knowledge to verify it.
I was wondering if this could be done already or added as a useful feature to complement arno-iptables-firewall in th future and would like to hear your opinion on that topic.
Thanks / Marc