You’re probably already aware of this, but if you run Docker on linux and use ufw or firewalld - it will bypass all your firewall rules. It doesn’t matter what your defaults are or how strict you are about opening ports; Docker has free reign to send and receive from the host as it pleases.
If you are good at manipulating iptables there is a way around this, but it also affects outgoing traffic and could interfere with the bridge. Unless you’re a pointy head with a fetish for iptables this will be a world of pain, so isn’t really a solution.
There is a tool called ufw-docker that mitigates this by manipulating iptables for you. I was happy with this as a solution and it used to work well on my rig, but for some unknown reason its no-longer working and Docker is back to doing its own thing.
Am I missing an obvious solution here?
It seems odd for a popular tool like Docker - that is also used by enterprise - not to have a pain-free way around this.
That might do the trick. Would you mind giving an example?
sure, you can see below that port 53 is only on a secondary IP I have on my docker host.
--- services: pihole01: image: pihole/pihole:latest container_name: pihole01 ports: - "8180:80/tcp" - "9443:443/tcp" - "192.168.1.156:53:53/tcp" # this will only bind to that IP - "192.168.1.156:53:53/udp" # this will only bind to that IP - "192.168.1.156:67:67/udp" # this will only bind to that IP environment: TZ: 'Europe/London' FTLCONF_webserver_api_password: 'mysecurepassword' FTLCONF_dns_listeningMode: 'all' dns: - '127.0.0.1' - '192.168.1.1' restart: unless-stopped labels: - "traefik.http.routers.pihole_primary.rule=Host(`dns01.example.com`)" - "traefik.http.routers.pihole_primary.service=pihole_primary" - "traefik.http.services.pihole_primary.loadbalancer.server.port=80"Thanks, I’m embarrassed that I didn’t know about this already 😅