Closed itchy2 closed 3 years ago
shinebayar-g
commented
3 years ago Hi. I think you can achieve the same result with only selecting the necessary ports with -p flag. For example if container uses 2 different ports 80 and 81 and you want to expose only port 80, you could do docker run -d -p 80:80 -l UFW_MANAGED=TRUE nginx:alpine. Port 81 will stay closed on the firewall.
itchy2
commented
3 years ago Yes, but with this approach nobody can access Port 81. I want to connect to port 81 from another subnet (so port 80 / 443 from WAN and 81 from LAN). But enabling / disabling the port could be a workaround.
shinebayar-g
commented
3 years ago I don't get the idea. Can you give an example?
itchy2
commented
3 years ago I have a reverse proxy based on NPM. Port 80 and 443 are used for accessing the server. Port 81 is used for the management console. so I need -p 80:80 443:443 81:81 to get all functionalities enabled. UFW-Docker does not affect the local IP adresses 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. If I set UFW_MANAGED=TRUE ufw will open also Port 81 with the same rules as for 80 and 443. The management interface will also opened to the WAN www. But I only want to allow port 80 and 443 to be opened to the outside world.
I hope this explanation makes it more understandable? Sorry, I am not a native speaker.
shinebayar-g
commented
3 years ago Hmm. In that case -l UFW_ALLOW_FROM=192.168.3.0/24-LAN;10.10.0.50/32-WAN work for you? You can whitelist the IP addresses in the UFW_ALLOW_FROM label. So you can filter out.
itchy2
commented
3 years ago unfortunately not, because this will open all three ports into both networks. Something like: -l UFW_ALLOW_FROM=192.168.3.0/24:80-81,443-LAN;ANY:80,443-WAN would be a solution.
shinebayar-g
commented
3 years ago Ah I see. So current implementation is like all in or nothing and tightly coupled with all published ports. But you want to define different source IPs like, for example different -p ports can be matched with different UFW_ALLOW_FROM label?
Example:
Container publishes 3 different ports. 80, 443, 8080.
Current implementation: Opens 80, 443, 8080 all at once from single UFW_ALLOW_FROM label. Wanted implementation: Opens 80, 443 maybe from 0.0.0.0/0, but 8080 from different UFW_ALLOW_FROM label.
Did I understand you correctly this time?
So essentially UFW_ALLOW_FROM per published port. 1:1 match needed, not 1:1+
itchy2
commented
3 years ago yes perfect. That's what I need 👍
shinebayar-g
commented
3 years ago This is now implemented. Now you can do something like this:
# Allow from certain IP address, CIDR ranges to different Port + comments
➜ docker run -d -p 8088:88 -p 8089:89 -p 8090:90 -l UFW_MANAGED=TRUE -l UFW_ALLOW_FROM="0.0.0.0/0-88-Internet;192.168.3.0/24-89-LAN;10.10.0.50-90" nginx:alpine
# Results
➜ sudo ufw status
Status: active
172.17.0.6 88/tcp ALLOW FWD Anywhere # awesome_leavitt:6ebdb0c87a56 Internet
172.17.0.6 89/tcp ALLOW FWD 192.168.3.0/24 # awesome_leavitt:6ebdb0c87a56 LAN
172.17.0.6 90/tcp ALLOW FWD 10.10.0.50 # awesome_leavitt:6ebdb0c87a56Port 88 is open to internet, but 89, 90 are network specific.
Hi all,
adding the possibility to define which ports should be opened / closed would be great (not only source). I have containers with ports for admin access (different ports) and I do not want to open these ports (only the "consumer ports").
Thanks and kind regards Itchy2