capnspacehook
commented
1 week ago If you have whalewall running and enable it on a container via the proper label, all network access to and from that container will be disallowed unless you add rules via whalewall. So, in this case you'd need to allow your reverse proxy to make outbound connections to 80 and 443 like you said, and also allow the RP to talk to other containers if proxies. If the other containers need to talk amongst themselves or need to access something that's not another container you'll need to add additional outbound rules.
IIRC creating outbound rules via whalewall will not cause system firewall rules to be respected. The best plan for your use case is probably to add a destination chain to the whalewall rules for 80 and 443, so packets from the RP container will jump to an iptables or nftables rule that contains the cloudflare logic you want. Does that make sense?
I’ve recently written a script that runs periodically to automatically add to UFW all Cloudflare IPs to ports 80 & 443, but deny everything else.
I noticed that if I just deny all traffic to 80 & 443 in UFW, with my reverse proxy manager in a docker container, I noticed I was still able to access my sites. This led me here.
My question is, and I’m a little new to this, with WhaleWall, will simply allowing my RP manager’s (swag) container access to ports 80 & 443 correctly follow my UFW rules for those ports? I think I saw on another thread someone mentioned you have to do the same for all containers the RP serves. Correct? Are there any additional or optional rules I need to do?
Secondly, I’m planning on setting up an authentication portal (Authelia) to my self-hosted app. I’m assuming I would need to do the same with those, yes?
Thanks in advance for helping a network security newbie out!