Proper way to use firewalld with Docker/Docker Swarm

Issues related to configuring your network
Post Reply
rah606
Posts: 1
Joined: 2020/03/30 20:43:20

Proper way to use firewalld with Docker/Docker Swarm

Post by rah606 » 2020/03/30 20:47:31

Hi!

Regarding to Docker/Docker Swarm and firewalld we have various ways to configure access to containerized services from outside, connections between various docker networks and access from containers to global network. How to deal with this in best way?

Currently, I am using an method, where docker interfaces are added to trusted interfaces. But I see some risks, for example: I am accidentally publish some service not only to local machine, but as public (because all connections in this zone are trusted). What another option I have? Adding masquerade to public zone (sounds unsafe and probably containers will be unable to check another container's real IP)? Custom zones in firewalld? How proffesionals do it? Could you provide me some solution?

User avatar
jlehtone
Posts: 3044
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Proper way to use firewalld with Docker/Docker Swarm

Post by jlehtone » 2020/04/03 11:50:42

I don't know Docker, so I don't like it. Actually, the bits I know make me hate it. That said, first websearch says that Docker has "bridged network" by default. That is no different from default libvirtd/KVM networking.

The host has a "bridge". A virtual switch to which container(s) is connected with virtual cable. The host may or may not be connected too. That is one network. One subnet. The host is connected to physical switch with physical cable. That is another subnet. Another network.

The host can route between the networks. Optionally, the host can hide/masquerade/sNAT the existence of the virtual network.


The real issue is that firewalld is not nice for routing. It is very convenient for "Who can talk to me?" but appalling at "Who can talk through me?" apart from trivial cases.
Custom or customized zones, yes. Probably with rich rules.

However, a feasible alternative -- if you know what you are doing* -- is to remove the firewalld and create nftables ruleset directly.

*Those who think that they do, invariably don't. With network security that is very dangerous.

aks
Posts: 3022
Joined: 2014/09/20 11:22:14

Re: Proper way to use firewalld with Docker/Docker Swarm

Post by aks » 2020/04/05 17:17:40

IMO docker (and cousins) is really aimed at a single node. Kubernetes/Swarm et al is aimed at multiple nodes.

If you launch your containers in the same namespace you *should* be able to talk to them over local host (k8s does this by default).

I think you're thinking about this wrong, rather than think of a per container/node protection, think along the lines of service protection (also docker makes a hairpin bend in the iptables which is kind of messy), but that's a opinion.

Post Reply

Return to “CentOS 8 - Networking Support”