Hi folks,
I am using docker on a vserver. As (without modification of ufw.after rules) ufw is not blocking anything when it comes down to docker exposed ports, I used GitHub - chaifeng/ufw-docker: To fix the Docker and UFW security flaw without disabling iptables modification.
From now on I can allow (or not) connections to exposed docker ports by e.g.
ufw route allow proto tcp from mystaticip to any port 9443
But, what If I give crowdsec (containerized) a shot (additionally to the modded ufw)? AFAIK crowdsec also works with iptables.
Will crowdsec work as expected in this situation?
OR
Will they interfere (ufw & crowdsec) and “destroy” a working iptables config?
As I am at a VSERVER, standing in the wild (=Internet) I can not go without firewall. So I have to have a working ufw (iptables) firewall.
I’m trying to wrap my head around it. If your only allow your ip through everything else is blocked then crowdsec wont add any value here because no other ip than yours can connect. unless you do have other service exposed. However, at that point it would of been better for you to use something like nginx to reverse proxy to docker then only allow your ip to port 80,443.
Cause then you wouldnt need to add a route for each docker port, you would only need to update your nginx config to allow a new subdomain or path to a new application. However, that how I would of handled it.
Hi and thanks for your reply.
Well I should have been clearer.
At the moment I only allow my static ip to connect to docker containers. I am having Nginx-Proxy-Manager in place.
Also a nextcloud-container is running.
The only things - open to the wild - are Port 443 and 80, but only from my official static ip at the moment (done by ufw and route allow from xxx) and only to the ip of the Nginx-Proxy-Manager.
The Nginx-PM forwards requests to my fqdn of Nextcloud to the dockercontainer.
But what if I open Nextcloud for “all”?
At this point I may want to use crowdsec, but I am very unsure whether it will work, without interfering the iptables of ufw, when banning ips etc.
So what If I have the ufw modification in place & docker with iptables & crowdsec? Will this work as expected?
From what I can tell from ufw script, it will be fine, we prepend to the top of the chains you configure. So in theory the default input chain should be fine. So yes if you plan to open to internet then crowdsec would add value.