No internet connection
  1. Home
  2. Issues

Using firewalld instead of ufw

By Dashamir Hoxha @dashohoxha
    2021-03-31 05:02:58.948Z

    I think that docker doesn't play well with ufw. It supports firewalld instead.
    https://github.com/debiki/talkyard-prod-one/blob/master/scripts/start-firewall.sh#L15

    Reply1 Like
    • 3 replies
    1. KajMagnus @KajMagnus2021-03-31 14:06:14.294Z2021-04-04 15:53:36.262Z

      Ok, seems like a good idea (after having read a bit about firewalld + Debian, Fedora, see below).

      What do you like better with firewalld / would you say doesn't work well with ufw + Docker?

      Personally I remember I was confused about having to do this, with ufw:

      # Make the firewall work with Docker: (not needed in Google Compute Engine)
# 1) Change forward policy to accept: DEFAULT_FORWARD_POLICY="ACCEPT"
sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/#&\n# This makes Docker work:\nDEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw

      (in that start-firewall.sh script)

      ***

      I websearched for "systemd firewall", and yes maybe firewalld is "the future" — from the Debian wiki:

      ... Debian Buster [i.e. Debian 10] ...
      You should consider using a wrapper instead of writing your own firewalling scripts. It is recommended to run ?firewalld, which integrates pretty well into the system. See also https://firewalld.org/

      https://wiki.debian.org/nftables

      And an upvoted reply over at Reddit about ufw and firewalld:

      firewalld is probably going to become the standard IPC interface to iptables

      https://www.reddit.com/r/archlinux/comments/3aroy1/firewalld_vs_ufw/

      ***

      I'll make a note about probably recommending firewalld instead, in Ty tech stack version 1. (Currently at version 0)

      (I'll move this topic to the Ideas category. Update: I moved it back to Issues — there's a problem, see below)

      Reply
      1. Dashamir Hoxha @dashohoxha
          2021-03-31 16:44:32.098Z

          The problem with ufw and docker is that ufw allow 80 does not do what you would expect. Personally I realized this too late. Here is a more detailed description: https://github.com/chaifeng/ufw-docker
          With simple docker setups probably this doesn't matter, but once you have multiple docker virtual networks you may find out that things do not work as you expect.

          firewalld maybe is a bit more complex than ufw, but it is very simple for basic usage. When you install it port 22 is allowed by default, and usually you don't need to do any extra configurations, especially related to docker. For example I usually do this: https://gitlab.com/dashohoxha/server-scripts/-/blob/master/scripts/ubuntu.sh#L25-28

          Reply1 Like
          1. KajMagnus @KajMagnus2021-04-04 15:36:07.789Z2021-04-04 15:51:26.719Z

            Hi Dashamir, thanks for explaining. Hmm I'll edit the installation instructions and mention this now directly.

            (Edit: Now done. In https://github.com/debiki/talkyard-prod-one/ , the readme.)

            Reply
        • Progress
          with handling this problem
        • @KajMagnus marked this topic as Planned 2021-03-31 14:08:07.445Z.
        Reply (discussion)Add progress note