Docker Tips - UFW

By default docker will override the "Uncomplicated Firewall" (UFW) rules, it is important to be aware of this so that you do not accidentally expose your docker containers to the world.

If you had UFW configured to block port 3000, then you would be forgiven for assuming our docker app would also be blocked.

docker run -d -p 3000:5000 training/webapp python app.py

However, docker adds rules to IP tables directly. This bypasses UFW which causes our app to be exposed to the world.

Two simple solutions

1) Bind port to localhost

The problem is that our port mapping tag exposes our app:

-p 3000:5000

Restricting access to localhost is a simple change:

-p 127.0.0.1:3000:5000

This binds port 5000 inside the container to port 3000 on the localhost or 127.0.0.1 interface on the host machine.

Our app is now blocked from external traffic!

2) Use external firewalls

GCP, AWS and even OVH all have external firewalls that sit infront of the server. Leveraging cloud based firewalls in addition to UFW is the best way to solve the issue.