Common pitfalls with Docker networking and how to firewall (twitter.com) 2 points by spr-alex 1y ago ↗ HN
[–] spr-alex 1y ago ↗ you should know that docker doesnt make firewalling containers easy1) devices one hop away can route directly to the container network, for example the WAN interface can make requests to 172.17.0.22) INPUT firewall rules won't help. with docker's defaults the DOCKER-USER chain needs to filtering3) container networks have access to private subnets upstream of the container. this is a common problem in many homelab setups4) browsers can be a springboard for malicious websites to attempt to exploit testing docker containers on adjacent networks with default credentails
1 comment
[ 4.6 ms ] story [ 14.8 ms ] thread1) devices one hop away can route directly to the container network, for example the WAN interface can make requests to 172.17.0.2
2) INPUT firewall rules won't help. with docker's defaults the DOCKER-USER chain needs to filtering
3) container networks have access to private subnets upstream of the container. this is a common problem in many homelab setups
4) browsers can be a springboard for malicious websites to attempt to exploit testing docker containers on adjacent networks with default credentails