evolix/minifirewall
21
0
Fork 0
Code Issues 4 Pull requests 3 Releases 1 Activity

Docker handling #5

Manually merged
lpoujol merged 2 commits from docker into master 2020-07-27 10:43:27 +02:00
Conversation 2 Commits 2 Files changed 2 +115 -3
lpoujol commented 2020-07-06 10:34:33 +02:00
Owner
Copy link

With this PR, minifirewall, can now handle properly docker networking without breaking it.

There is a new setting 'DOCKER', in the config file that can be either on or off (and should be defined)

off : Minifirewall behaviour stays the same. Docker shall not be used.

on : Minifirewall will :

  • Not purge the nat table on stop as it breaks outgoint network trafic from living containers.
    (Side note: It's better to not have squid, or changes the rules, to not insert squid firewall rules at each restart since the nat table isn't flushed)

  • Create DOCKER-USER chain (if absent), and send "NEW" (according to iptable state) packets into the following chains :

1/ MINIFW-DOCKER-PUB (Public, unfiltered services allowed in SERVICESTCP1 SERVICESUDP1 )
2/ MINIFW-DOCKER-PRIVILEGED (Privileged, filtered services to privileged and trusted IPs, defined by SERVICESTCP2 SERVICESUDP2 )
3/ MINIFW-DOCKER-TRUSTED (Trusted, filtered services to trusted IPs, defined by SERVICESTCP3 SERVICESUDP3 )

Allowed trafic will be matched, and returned to DOCKER-USER chain
if a packet reach the end of MINIFW-DOCKER-TRUSTED, it will be dropped

Notes :

  • SERVICESTCP1p & SERVICESUDP1p are not used !
  • Dropped packets from MINIFW-DOCKER-TRUSTED aren't logged
  • Commit message of 0ec2cb2f4b should be taken as is, as 05104b312c dropped the idea of SERVICESTCP4 & SERVICESUDP4
  • Maybe a preliminary check should ensure that DOCKER variable exists (and is either on or off) ?
  • Outgoing HTTP (80/tcp) from a container isn't filtered by squid

Unless someone raises an issue, or veto it, this PR will be merged on Wednesday, July 22nd

With this PR, minifirewall, can now handle properly docker networking without breaking it. There is a new setting 'DOCKER', in the config file that can be either **on** or **off** (and should be defined) **off** : Minifirewall behaviour stays the same. Docker **shall not** be used. **on** : Minifirewall will : - Not purge the nat table on stop as it breaks outgoint network trafic from living containers. (Side note: It's better to not have squid, or changes the rules, to not insert squid firewall rules at each restart since the nat table isn't flushed) - Create DOCKER-USER chain (if absent), and send "NEW" (according to iptable state) packets into the following chains : 1/ MINIFW-DOCKER-PUB (Public, unfiltered services allowed in SERVICESTCP1 SERVICESUDP1 ) 2/ MINIFW-DOCKER-PRIVILEGED (Privileged, filtered services to privileged and trusted IPs, defined by SERVICESTCP2 SERVICESUDP2 ) 3/ MINIFW-DOCKER-TRUSTED (Trusted, filtered services to trusted IPs, defined by SERVICESTCP3 SERVICESUDP3 ) Allowed trafic will be matched, and returned to DOCKER-USER chain if a packet reach the end of MINIFW-DOCKER-TRUSTED, it will be dropped **Notes** : * SERVICESTCP1p & SERVICESUDP1p are not used ! * Dropped packets from MINIFW-DOCKER-TRUSTED aren't logged * Commit message of 0ec2cb2f4b should be taken as is, as 05104b312c dropped the idea of SERVICESTCP4 & SERVICESUDP4 * Maybe a preliminary check should ensure that DOCKER variable exists (and is either on or off) ? * Outgoing HTTP (80/tcp) from a container isn't filtered by squid Unless someone raises an issue, or veto it, this PR will be merged on **Wednesday, July 22nd**
lpoujol added the
enhancement
 label 2020-07-06 10:34:34 +02:00
lpoujol self-assigned this 2020-07-06 10:34:34 +02:00
gcolpart commented 2020-07-10 10:23:46 +02:00
Owner
Copy link

yallah!
(we should have evocheck test to verify SQUID and DOCKER are not both enabled)
(why we need to flush DOCKER-USER chain? maybe only iptables -I -j MINIFW-DOCKER-PUB ?)

yallah! (we should have evocheck test to verify SQUID and DOCKER are not both enabled) (why we need to flush DOCKER-USER chain? maybe only `iptables -I -j MINIFW-DOCKER-PUB` ?)
lpoujol commented 2020-07-27 10:22:57 +02:00
Author
Owner
Copy link

Technically, it's not needed.
But I chose to flush it to ensure it only contains minifirewall rules on start.

Technically, it's not needed. But I chose to flush it to ensure it only contains minifirewall rules on start.
lpoujol manually merged commit 3bcaee5b58 into master 2020-07-27 10:43:27 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
lpoujol
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: evolix/minifirewall#5
No description provided.
Delete branch "docker"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?