this post was submitted on 21 Feb 2023
3 points (71.4% liked)

General Programming Discussion

7803 readers
1 users here now

A general programming discussion community.

Rules:

  1. Be civil.
  2. Please start discussions that spark conversation

Other communities

Systems

Functional Programming

Also related

founded 5 years ago
MODERATORS
Restioson@lemmy.ml
Cloak@lemmy.ml
3
PSA: Docker Will Edit Host-Based Firewall Rules For You (geoff.tuxpup.com)
submitted 2 years ago by yogthos@lemmy.ml to c/programming@lemmy.ml
6 comments fedilink hide all child comments
top 6 comments
sorted by: hot top controversial new old
[–] blank_sl8@lemmy.ml 2 points 2 years ago

Yep, this sort of stuff happens and is extremely annoying. Libvirtd will do it for VM networking by default too.

The solution at the intersection of easy to implement and reliable is to just use nftables instead of iptables. Then, the extra rules automatically added by tools are usually much more predictable and easier to integrate with your own rules. Briefly, if nftables is enabled, most tools that mess with the firewall will create a new table inside of nftables with a lower-than-default priority, so that if you have your own custom table set up, the new rules won't interfere with it. (That being said, it is possible that your higher-priority table will cause the automatically added rules not to behave as intended, in which case you may need to add more rules to your manually added table. But manual rules breaking automatic ones is better than automatic rules breaking manual ones imo).

[–] indyradio@indieweb.social 1 points 2 years ago (1 children)

@yogthos is that desirable?

[–] yogthos@lemmy.ml 0 points 2 years ago (1 children)

I'd say it's not as it's an implicit and surprising behavior with security implications.

[–] indyradio@indieweb.social 2 points 2 years ago (1 children)

@yogthos I absolutely agree! I'm not a fan of Docker because of things like this, but I thought I would ask for an opinion rather than impose mine.

[–] yogthos@lemmy.ml 0 points 2 years ago (1 children)

I find Docker is one of those technologies that's useful conceptually, but the actual implementation is a complete mess.

[–] indyradio@indieweb.social 1 points 2 years ago

@yogthos You came out of nowhere, but we absolutely agree. lol
I just will not use it.