Only slightly related, but port binding in Docker also binds to 0.0.0.0 by defau...

janci · 2025-02-12T18:36:05 1739385365

It also bypasses firewall (ufw on ubuntu)

rzzzt · 2025-02-12T19:45:38 1739389538

Yes and no, it's modifying the NAT table and so traffic will not be subjected to inbound rules where you would normally add an "allow HTTPS"-style rule: https://docs.docker.com/engine/network/packet-filtering-fire...

diggan · 2025-02-12T21:52:06 1739397126

In what way is that "No"? The docs say:

> Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.

So docker is "effectively" ignoring your firewall in the case of ufw. I don't see how it can be considered to not ignoring your firewall when it ignores the rules you've setup.

rzzzt · 2025-02-13T07:22:48 1739431368

NAT rules are still firewall (netfilter, iptables - note the plural) territory, ufw is a frontend for iptables to simplify creating rules.

Does Docker violate the principle of least surprise? Yes. Was I bitten by this behavior? Definitely. Does it bypass the firewall? No.

diggan · 2025-02-13T12:37:53 1739450273

I dunno. If I use UFW on Ubuntu, I use it as a firewall, and applications that ignores my firewall, I'd consider them to be ignoring my firewall, regardless if the details say that it's still using NAT rules so technically it's just ignoring one firewall/something not called a firewall, even though it ignores the firewall you've setup.

To be frank, it kind of feels like the kind of technical nitpick argument I'd read from a Docker Inc employee trying to somehow defend ignoring the user's firewall.

The end result is that you setup rules in UFW, and Docker ignores them.