Hacker News new | past | comments | ask | show | jobs | submit login

Docker has worked like this for a long time. It's a really bad default, and they damn well ought to stop operating this way by default, but it's also like Docker Devops 101. When you install Docker on a Linux system, you should configure the DOCKER-USER chain to drop everything originating on your public network interface. You should also stop running services bound to localhost and instead run them on a private network. You can proxy any traffic that really ought to be allowed through from the outside, or if you can't do that for some reason, then make a single exception to the iptables and host binding rules for that one container.



Would you know of some blog post or guide in the vein of "essential sane(r) defaults to apply after installing Docker" kind of tutorial? Which included, for example, the chain config you mentioned


This feels like something you might forget if it's just been running for a while.


When I moved my docket setup to a new fedora server a few months ago I was surprised I had to add firewall rules to allow traffic to the ports exposed in the containers. Iā€™m not sure whether this is for any port or specially for things running under the docker user but RHEL should be safe by default.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: