helpme, Docker

firehol at artfulrobot.uk firehol at artfulrobot.uk
Wed Aug 3 09:22:49 BST 2022


Hi Jason,

Thanks for a swift reply!

I followed that set up and yes it appears to be working, so thank you. 
However I'd like to understand a couple of things a bit better because 
when I've tried tweaking, everything breaks!

With the config you linked to, I have:

✔ The docker-compose containers can be accessed locally, great.
   This means I'll be able to reverse-proxy to them via nginx.

✔ The docker-compose containers cannot be accessed over the internet
   Good, I don't want world-access.

~ The docker-compose containers can make any client requests of the
   internet.

That last point is where I tried tweaking; I would like to restrict what 
clients in the docker-compose network can do as clients of the internet.

But when I edited the rule to be like:

interface4 br_public dkcmp

   server all accept

   client http accept

   client https accept

   client ntp accept

   client dns accept

   client icmpv6 accept

   client all reject



I can no longer access the containers' services locally, though nothing 
is logged either. It seems I need policy accept, or server all accept 
and client all accept for it to function.


Thanks,
Rich




On 02/08/2022 21:35, Jason Miller wrote:
> See this comment for getting docker and docker-compose working with firehol:
> 
> https://github.com/firehol/firehol/issues/360#issuecomment-425045387
> 
> I did that a long time ago and it was still working for me last time I used both together.
> 
> -Jason
> 
> On Tue, 02 Aug 2022 16:31:00 +0100 firehol at artfulrobot.uk wrote:
>> Hi,
>>
>> I'm not sure if this project is still going or not(?) but I'm trying to
>> use it for an internet server with several docker containers running on
>> it, as well as some native services (nginx etc.)
>>
>> I don't want the docker containers' services open to the internet, just
>> the native nginx. But I do want the the docker containers to be able to
>> talk to eachother, as that's essential for their functioning. I will use
>> nginx to reverse proxy to docker services where needed.
>>
>> Normally I run firehol helpme >/etc/firehol.conf
>>
>> But now it's generated an enormous file, with 72 routers, and 9 interfaces.
>>
>> Do I really need to configure all those combinations or is there a
>> simpler way?
>>
>> Thanks,
>>
>> Rich


More information about the Firehol-support mailing list