Hi all,, We have been (ab)using shorewall for some years now and we're v happy with it - thanks everyone and Tom in particular for such a great tool.
We have been using it to manage security for a set of VMs running applications with docker-compose. Almost all of our hosts have a single external network interface; this is perhaps not the use case for which shorewall was designed but it has been working for us so far. We now have a scenario which is proving more difficult: we want to access a service running on a host from within a container. We have tried the most open configuration possible - a policy with all:all ACCEPT and no rules; it seems the service is accessible from anywhere except inside the docker container. Accessing the service from inside the container results in timeouts, so presumably the packets are being dropped somewhere. We tried ping, ssh (on standard ports) and an http service running on a high port number. Zone configuration: root@dhit-disposable01:/etc/shorewall# cat zones ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 dock ipv4 Interface configuration: root@dhit-disposable01:/etc/shorewall# cat interfaces ############################################################################### ?FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS net eth physical=eth+,dhcp,nosmurfs net en physical=en+,dhcp,nosmurfs dock docker0 physical=docker+,routeback=1 dock br physical=br-+,routeback=1 Policy configuration: root@dhit-disposable01:/etc/shorewall# cat policy #SOURCE DEST POLICY LOGLEVEL LIMIT all all ACCEPT Rules configuration: root@dhit-disposable01:/etc/shorewall# cat rules #ACTION SOURCE DEST PROTO DPORT # No rules Docker configuration as per shorewall.conf root@dhit-disposable01:/etc/shorewall# grep -i docker shorewall.conf # Default shorewall config, except for DOCKER=Yes (and this comment). DOCKER=Yes DOCKER_BRIDGE=docker0 I did shorewall compile, safe-reload and then restarted the docker deamon but the packets still seem to be being dropped. I tried iptables-tracer [1] to get some info on where they disappear and it seems packets are being dropped on the return path. I checked the documentation and could not find any answer in the FAQs. I could not generate a shorewall dump as we are using journald rather than syslog and it's unclear to me how such a dump can be generated in this case. Happy to provide further information as required. Any thoughts/pointers appreciated... Best rgds, Sean. [1] https://github.com/x-way/iptables-tracer __________________________________ Sean Murphy Senior Platform Engineer sean.mur...@datahouse.ch T +41 44 289-84-22 www.datahouse.ch Linkedin: https://www.linkedin.com/company/wuestpartner/posts/?feedView=all&viewAsMember=true YouTube: https://www.youtube.com/channel/UC4Esiu5N_zg2JRERufw5HvA __________________________________ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
