Open binaryfire opened 2 years ago
@chaifeng Also, I don't need to log dropped requests.
Will ufw logging off
also switch off logging for ufw-docker-logging-deny? Or do I need to remove -A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
?
Thanks :)
Yes, just remove the three lines of code about 192.168.0.0/16
if you don't trust this network.
@chaifeng Also, I don't need to log dropped requests.
Will
ufw logging off
also switch off logging for ufw-docker-logging-deny? Or do I need to remove-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
?Thanks :)
Correct!
@chaifeng Thank you!
Just to confirm- are the 10.0.0.0/8 and 172.16.0.0/12 ranges both required for Docker’s internal networking?
@chaifeng Thank you!
Just to confirm- are the 10.0.0.0/8 and 172.16.0.0/12 ranges both required for Docker’s internal networking?
depends on your configurations of docker/swarm networks, for example, https://docs.docker.com/network/bridge/#configure-the-default-bridge-network
Hey @chaifeng
Thanks for a great solution! I'm going for a zero-trust network so I want to drop all traffic by default (including from private network addresses). And then add UFW rules for the specific private and public ips I want to allow.
Do I just need to remove the rules ending in192.168.0.0/16 to achieve this?
So this:
Combined with UFW commands like this:
Allow private network access to published ports 9000 and 22:
ufw route allow proto tcp from 192.168.0.0/16 to any port 9000,22
Allow public IP 5.5.5.5 access to published port 5000:
ufw route allow proto tcp from 5.5.5.5 to any port 5000
Is this the right approach? Btw I'm using Docker in Swarm mode
Thanks!