Why isn't firewalld filtering the services running in my Docker containers?

horse hair asked:

My services were filtered correctly after migrating from iptables to firewalld and updating the rules with firewall-cmd. Then I moved all services to containers using Docker, and ran everything with docker-compose.

My default zone is ‘public’. I have manually added docker0, my external (Ethernet) interface, and the interface the Docker containers seem to talk to the outside world with (br-304604a31e79) to the ‘public’ zone. I have run the commands to move the interfaces into the ‘public’ zone both with and without the --permanent flag.

When I use nmap to scan my server, the services running in the Docker containers are still accessible (are still ‘open’, instead of ‘filtered’).

Why isn’t firewalld filtering the services running in my Docker containers?

My answer:

Docker does its own firewalling and only ports that you explicitly exposed when configuring your containers will be open in the firewall. Only the ports exposed to the outside world need to be set in docker-compose.yml. The containers you define can always communicate with each other.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.