I’m trying to wrap my head around it. If your only allow your ip through everything else is blocked then crowdsec wont add any value here because no other ip than yours can connect. unless you do have other service exposed. However, at that point it would of been better for you to use something like nginx to reverse proxy to docker then only allow your ip to port 80,443.
Cause then you wouldnt need to add a route for each docker port, you would only need to update your nginx config to allow a new subdomain or path to a new application. However, that how I would of handled it.
At the moment I only allow my static ip to connect to docker containers. I am having Nginx-Proxy-Manager in place.
Also a nextcloud-container is running.
The only things - open to the wild - are Port 443 and 80, but only from my official static ip at the moment (done by ufw and route allow from xxx) and only to the ip of the Nginx-Proxy-Manager.
The Nginx-PM forwards requests to my fqdn of Nextcloud to the dockercontainer.
But what if I open Nextcloud for “all”?
At this point I may want to use crowdsec, but I am very unsure whether it will work, without interfering the iptables of ufw, when banning ips etc.
So what If I have the ufw modification in place & docker with iptables & crowdsec? Will this work as expected?
From what I can tell from ufw script, it will be fine, we prepend to the top of the chains you configure. So in theory the default input chain should be fine. So yes if you plan to open to internet then crowdsec would add value.