Does not work after reboot ?

[Singtah]

Hi @chaifeng and thank you for your work. The trick seems to work until you reboot the server.

I applied the modifications to after.rules, enabled the firewall and limited access to a httpd container (added ufw route allow 80 + ssh => no problems here However once i reboot the server, despite ufw being still active (systemctl Active: active (exited) and ufw Status: active) the container is exposed to public traffic Host ports are still protected

any ideas ? docker@ 19.03.3 ufw @ 0.36

[maxiride]

Following, same here (UFW 0.36, Docker 19.03.4, build 9013bf5, Docker Compose 1.23.2, build 1110ad0).

Since I'm not much literate regarding networking I used the tool provided but the docker ports are still reachable.

The script appends to the UFW after.rules IPs in the form of 192.168.0.0/XX with XX being some number which I know should refer to a range for the last digits only aka the fourth block However, my router which is the DHCP server too for the host running docker hands over IPs in form of 192.168.1.X (notice the 1 instead of 0 as the third number. Might that be that the issue I am facing (and maybe @Singtah too) is due to a different IP range used in the LAN?

[shinebayar-g]

It's persistent.

[rr4444]

Same here - the problem is when container IP addresses change.

Your machine needs to rerun ufw-docker allow container port on each reboot. The script seems to recognise that it's an update and remove the old UFW entry.

Seems to be identical to #31 in problem, but not in solution

[rr4444]

This is a giant problem

[rr4444]

It's persistent.

What's persistent? I am hoping you know something I don't.......(!)

[rr4444]

Same here - the problem is when container IP addresses change.

Your machine needs to rerun ufw-docker allow container port on each reboot. The script seems to recognise that it's an update and remove the old UFW entry.

Seems to be identical to #31 in problem, but not in solution

Feels slightly mad, but running it as a crontab entry every few minutes is another possibility to fix both issues

[rr4444]

Running

*/2 * * * * /usr/local/bin/ufw-docker allow container port > /dev/null 2>&1

for each port in crontab (basically just 80 an 443 in my case)

[shinebayar-g]

It's persistent.

What's persistent? I am hoping you know something I don't.......(!)

If you're using the script like this: sudo ufw-docker allow nginx 80 , it'll actually create ufw rule based on container named nginx's current address. It has nothing to do with this container after this. Once container's ip address change, it cannot track such changes. If you actually remove the nginx container and run something else with different name, you'd notice this new container is accessible from internet. Why? Because this new container actually runs on same ip address from previously deleted nginx container.

So in order to track every container's rule properly you either have to run every container with static ip address and update rules manually or re-run ufw-docker after every other container creation or above cron works fine.

I'm suggesting much robust idea here. Idea is ufw-docker will update ufw rules based on container ENV or LABELs automatically like how docker creates and deletes underlying iptables rules automatically.

[shinebayar-g]

Okay, I hacked together some crap and got working code, here is the repo. All you have to do is run the container with special label UFW_MANAGED=TRUE. Please let me know your feedbacks. Of course code is crap, but hopefully it works.