Disable docker exposed ports in firewall
It should be possible to block the port exposing in global nets from docker containers within the firewall.
It's a massive security lack! Most applications are run behind a 'docker proxy rule', so there's no need to expose the port to the whole internet.
Docker's modifying the firewall by itself, so this has to be disabled.
Anonymous
shared this idea
Hi Fabian, thank you for your idea. Could you please provide an example what you are currently seeing in traffic, where this results from and what you would like the headers to look like instead? Please redact the true IP address(es) in the example.
-
captainhook
commented
Docker containers should not by default be exposed to the internet.
I posted about this in the forums and included a solution that works for me: https://talk.plesk.com/threads/securing-docker-ports-to-local-access-only-with-firewalld.368775/
-
Anonymous
commented
For example, I run a docker with image 'portainer/portainer'.
I mapped the (container internal) port 9000 to host port 49153.
Right now, I am able to access the portainer container with ip:49153 in the web, even if I set up a docker proxy rule to access it with a subdomain.
Blocking this port from external ips through the firewall is not working.