this post was submitted on 29 Aug 2025
523 points (99.1% liked)

Programmer Humor

26332 readers
1428 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
anzo@programming.dev
Feyter@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
523
Context: Docker bypasses all UFW firewall rules (lemmy.world)
submitted 2 weeks ago* (last edited 2 weeks ago) by qaz@lemmy.world to c/programmer_humor@programming.dev
101 comments fedilink hide all child comments
 

Docker docs:

Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.

you are viewing a single comment's thread
view the rest of the comments
[–] grrgyle@slrpnk.net 24 points 2 weeks ago (1 children)

If I had a nickel for every database I've lost because I let docker broadcast its port on 0.0.0.0 I'd have about 35¢

[–] MangoPenguin@lemmy.blahaj.zone 9 points 2 weeks ago (1 children)

How though? A database in Docker generally doesn't need any exposed ports, which means no ports open in UFW either.

[–] grrgyle@slrpnk.net 1 points 2 weeks ago (2 children)

I exposed them because I used the container for local development too. I just kept reseeding every time it got hacked before I figured I should actually look into security.

[–] MangoPenguin@lemmy.blahaj.zone 16 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

For local access you can use 127.0.0.1:80:80 and it won't put a hole in your firewall.

Or if your database is access by another docker container, just put them on the same docker network and access via container name, and you don't need any port mapping at all.

[–] grrgyle@slrpnk.net 1 points 2 weeks ago

Yeah, I know that now lol, but good idea to spell it out. So what Docker does, which is so confusing when you first discover the behaviour, is it will bind your ports automatically to 0.0.0.0 if all you specify is 27017:27017 as you port (without an IP address prefixing). AKA what the meme is about.

[–] firelizzard@programming.dev 2 points 2 weeks ago (1 children)

Where are you working that your local machine is regularly exposed to malicious traffic?

[–] grrgyle@slrpnk.net 1 points 2 weeks ago (1 children)

My use case was run a mongodb container on my local, while I run my FE+BE with fast live-reloading outside of a container. Then package it all up in services for docker compose on the remote.

[–] firelizzard@programming.dev 2 points 2 weeks ago (1 children)

Ok… but that doesn’t answer my question. Where are you physically when you’re working on this that people are attacking exposed ports? I’m either at home or in the office, and in either case there’s an external firewall between me and any assholes who want to exploit exposed ports. Are your roommates or coworkers those kinds of assholes? Or are you sitting in a coffee shop or something?

[–] grrgyle@slrpnk.net 1 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

This was on a VPS (remote) where I didn't realise Docker was even capable of punching through UFW. I assumed (incorrectly) that if a port wasn't reversed proxied in my nginx config, then it would remain on localhost only.

Just run docker run -p 27017:27017 mongo:latest on a VPS and check the default collections after a few hours and you'll likely find they're replaced with a ransom message.

[–] firelizzard@programming.dev 2 points 2 weeks ago

Ah, when you said local I assumed you meant your physical device