I think I've decided...
I want to do database administration.
Very boring. Almost as bad as learning C programming. A bunch of abstract concepts unfortunately.
Docker like: "Let's fuck up your iptables, soydevs don't know how to use firewalls anyway (they'll just firewall at the router level or whatever)"
@splitshockvirus@mstdn.starnix.network
skill issue?
I happen to like the fact that the containers have remapped ports on the public facing network, but they still have the original default port numbers talking to each other on the 172.17.0.0 network.
I can decide how I wanna fuck-up the #ufw on the host #VPS, or just leave everything open.
Remapping your ports is not the issue. It's the fact that it bypasses your rules by default. No application should ever be given authority to do that unless you explicitly firewall it or launch it to so, docker just assumes this by default.
@splitshockvirus@mstdn.starnix.network
I'll test your theory next time I manipulate #ufw on the host #VPS.
Right now, I've got whitelisted hosts on the dbs inside the containers. Plus the fact that nobody knows the IP address of the host VPS because I don't have misskey (or any other public services) running on that box
My nginx and misskey is on a different budgetbox entirely
Are you running your docker-compose on the VPS?
@splitshockvirus@mstdn.starnix.network
that's... a bit more involved than I expected.
I'll take a look at that later, but right now I've got pretty much all ports open at the host level.
Security inside the containers, plus security-through-obscurity, not running any public services. I'll do some more work on it later
I'm not criticizing your swarm. I'm telling you it modifies iptables in a way counter productive to standard firewall security of deny by default and allow by exception. If you allow all ports by default then this doesn't apply to you.
I found this thing asking the robot™
dockerd --iptables=false: Disables Docker's management of iptables rules.
This probably will break dockers automagic port mapping which means you'll not only need to allow it manually you'll also need to do NAT manually (annoying).
Kind of wonder if this is just a limitation with Linux iptables/netfilter.
iptables handles NAT and port blocking. If NAT was a separate application, this probably wouldn't be an issue.
@splitshockvirus@mstdn.starnix.network
The vultr #docker install has all ports open on the #VPS, which makes sense, since they don't know what docker images you're gonna use.
I was planning on setting up a deny-by-default #ufw ruleset eventually, but you're telling me I can't do that? Interesting.
I'll figure something out
Just firewall at Vultr level it's easier. Until you need to do some massive IP block or analytics.
@splitshockvirus@mstdn.starnix.network
no I'm pulling the pre-made images from dockerhub
Official images, except for #bitnami
I've skimmed the bitnami dockerfiles and built some of them on my laptop but I don't have home-brew docker images/containers in production.
docker run alpine:latest
@splitshockvirus@mstdn.starnix.network
I've got no meatspace, government-name emails or social inside this server BTW. Just my #misskey shitposts, and some shitty code in gitea.
#git config --global user.name "Anon D. Velopr-Fuckoff"