Open binaryfire opened 2 years ago
binaryfire
commented
2 years ago @chaifeng Also, I don't need to log dropped requests.
Will ufw logging off also switch off logging for ufw-docker-logging-deny? Or do I need to remove -A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] " ?
Thanks :)
chaifeng
commented
2 years ago Yes, just remove the three lines of code about 192.168.0.0/16 if you don't trust this network.
chaifeng
commented
2 years ago @chaifeng Also, I don't need to log dropped requests.
Will
ufw logging offalso switch off logging for ufw-docker-logging-deny? Or do I need to remove-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "?Thanks :)
Correct!
binaryfire
commented
2 years ago @chaifeng Thank you!
Just to confirm- are the 10.0.0.0/8 and 172.16.0.0/12 ranges both required for Docker’s internal networking?
chaifeng
commented
2 years ago @chaifeng Thank you!
Just to confirm- are the 10.0.0.0/8 and 172.16.0.0/12 ranges both required for Docker’s internal networking?
depends on your configurations of docker/swarm networks, for example, https://docs.docker.com/network/bridge/#configure-the-default-bridge-network
Hey @chaifeng
Thanks for a great solution! I'm going for a zero-trust network so I want to drop all traffic by default (including from private network addresses). And then add UFW rules for the specific private and public ips I want to allow.
Do I just need to remove the rules ending in192.168.0.0/16 to achieve this?
So this:
Combined with UFW commands like this:
Allow private network access to published ports 9000 and 22:
ufw route allow proto tcp from 192.168.0.0/16 to any port 9000,22Allow public IP 5.5.5.5 access to published port 5000:
ufw route allow proto tcp from 5.5.5.5 to any port 5000Is this the right approach? Btw I'm using Docker in Swarm mode
Thanks!