Building DevSecOps solutions using AWS, Terraform and Kubernetes

Docker Tips - UFW

  • 26th September 2021

Docker overrides UFW rules

If you had the "Uncomplicated Firewall" (UFW) configured to block port 3000, then you would be forgiven for assuming our docker app would also be blocked.

docker run -d -p 3000:5000 training/webapp python app.py

However, docker adds rules to IP tables directly. This bypasses UFW which causes our app to be exposed to the world.

Two simple solutions

1) Bind port to localhost

The problem is that our port mapping tag exposes our app:

-p 3000:5000

Restricting access to localhost is a simple change:

-p 127.0.0.1:3000:5000

This binds port 5000 inside the container to port 3000 on the localhost or 127.0.0.1 interface on the host machine.

Our app is now blocked from external traffic!

2) Use external firewalls

GCP, AWS and even OVH all have external firewalls that sit infront of the server. Leveraging cloud based firewalls in addition to UFW is the best way to solve the issue.

Rhuaridh

Please get in touch through my socials if you would like to ask any questions - I am always happy to speak tech!

Hello, I am a Senior DevSecOps Engineer working in the e-commerce and fintech space. I occassionally like to blog about stuff.

Disclaimer

Technology moves fast, and it's not always possible to keep blog posts up to date.

Please read the disclaimer.