Using firewalld instead of ufw
I think that docker doesn't play well with ufw. It supports firewalld instead.
- 3 回复
- KajMagnus @KajMagnus2021-03-31 14:06:14.294Z2021-04-04 15:53:36.262Z
Ok, seems like a good idea (after having read a bit about firewalld + Debian, Fedora, see below).
What do you like better with firewalld / would you say doesn't work well with ufw + Docker?
Personally I remember I was confused about having to do this, with ufw:
# Make the firewall work with Docker: (not needed in Google Compute Engine) # 1) Change forward policy to accept: DEFAULT_FORWARD_POLICY="ACCEPT" sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/#&\n# This makes Docker work:\nDEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
I websearched for "systemd firewall", and yes maybe firewalld is "the future" — from the Debian wiki:
... Debian Buster [i.e. Debian 10] ...
You should consider using a wrapper instead of writing your own firewalling scripts. It is recommended to run ?firewalld, which integrates pretty well into the system. See also https://firewalld.org/
And an upvoted reply over at Reddit about ufw and firewalld:
firewalld is probably going to become the standard IPC interface to iptables
I'll make a note about probably recommending firewalld instead, in Ty tech stack version 1. (Currently at version 0)
(I'll move this topic to the Ideas category. Update: I moved it back to Issues — there's a problem, see below)
- Dashamir Hoxha @dashohoxha
The problem with
ufwand docker is that
ufw allow 80does not do what you would expect. Personally I realized this too late. Here is a more detailed description: https://github.com/chaifeng/ufw-docker
With simple docker setups probably this doesn't matter, but once you have multiple docker virtual networks you may find out that things do not work as you expect.
firewalldmaybe is a bit more complex than
ufw, but it is very simple for basic usage. When you install it port 22 is allowed by default, and usually you don't need to do any extra configurations, especially related to docker. For example I usually do this: https://gitlab.com/dashohoxha/server-scripts/-/blob/master/scripts/ubuntu.sh#L25-28
- KajMagnus @KajMagnus2021-04-04 15:36:07.789Z2021-04-04 15:51:26.719Z
Hi Dashamir, thanks for explaining. Hmm I'll edit the installation instructions and mention this now directly.
(Edit: Now done. In https://github.com/debiki/talkyard-prod-one/ , the readme.)
- @KajMagnus marked this topic as Planned 2021-03-31 14:08:07.445Z.