This is a working config for podman, which is RedHat's preferred more or
less drop in daemonless replacement for docker.
Docker is what we used to be on, but I'd have to dig some years back in
an old machine to find the RCS version for a docker config. If memory
serves me right, the only change was interface name. As you can see, my
zone name is still dock.
# $Id: interfaces,v 1.4 2023/01/05 23:55:45 root Exp $
# http://www.shorewall.net/manpages/shorewall-interfaces.html
# https://gist.github.com/lukasnellen/20761a20286f32efc396e207d986295d
?FORMAT 2
#ZONE INTERFACE OPTIONS
net eno1
loc eno2
# podman 4 is podman+, podman 3 uses cni-podman+
dock podman+ routeback=1
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
===
# $Id: policy,v 1.3 2025/03/21 02:05:00 root Exp root $
###############################################################################
#SOURCE DEST POLICY LOG
LIMIT:BURST
# LEVEL
fw all ACCEPT
dock all ACCEPT
loc $FW ACCEPT
net fw DROP # info # too much noise
all all REJECT info
#LAST LINE -- DO NOT REMOVE
===
---
Jeffrey Goh,
Lightspeed Technologies Pte Ltd
7 Straits View, #05-02 Marina One East Tower Singapore 018936
phone: +65-6468-5536 website: lightspeed.com.sg
https://www.facebook.com/lightspeed.sg/ https://m.me/lightspeedsg/
On 2025-03-21 01:12, Winston Sorfleet wrote:
It may seem like a stupid question (again, I don't know docker) but,
are the VMs' virtual network interfaces, and the host's network
interface, in the same zone?
On 2025-03-20 4:19 a.m., Sean Murphy via Shorewall-users wrote:
Thanks Winston - I had hoped to avoid getting my hands dirty with
tcpdump but it
looks like I might have to. Do you find it straightforward to track
movements through
the chains and tables with tcpdump?
The client runs in a docker container - my main objective is to use
curl from within a docker
container as the client and a http server running on the host but I've
also been trying it
out with and ssh client and a ping client (both working inside the
container).
We have basically 3 zones: the firewall zone, the network zone and the
docker zone.
The firewall zone is as defined by shorewall. The network zone refers
to traffic on the
(single) network interface and the docker zone refer to traffic
originating and terminating
on the docker bridge.
Thanks for any insights.
BR,
Sean.
__________________________________
Sean Murphy
Senior Platform Engineer
sean.mur...@datahouse.ch
T +41 44 289-84-22
www.datahouse.ch
Linkedin:
https://www.linkedin.com/company/wuestpartner/posts/?feedView=all&viewAsMember=true
YouTube: https://www.youtube.com/channel/UC4Esiu5N_zg2JRERufw5HvA
__________________________________
________________________________________
From: Winston Sorfleet <w...@romanus.ca>
Sent: Wednesday, March 19, 2025 7:16 PM
To: shorewall-users@lists.sourceforge.net
<shorewall-users@lists.sourceforge.net>
Subject: Re: [Shorewall-users] Problems accessing host from docker
container running on host
[You don't often get email from w...@romanus.ca. Learn why this is
important at https://aka.ms/LearnAboutSenderIdentification ]
Normally I'd start with tcpdump as the lowest-level tracing tool, but
first I'd want to know a bit more about your scenario. Instead of
using
"host" and "docker" terminology (I am not familiar with docker, so I
am
not sure if you are implying a VM trying to communicate with the
underlying host), could you perhaps re-frame your question with
"client"
and "server" and explain which are in which zones (and networks)? Or
are the client and server on the same host?
On 2025-03-19 05:49, Sean Murphy via Shorewall-users wrote:
Hi all,,
We have been (ab)using shorewall for some years now and we're v happy
with it -
thanks everyone and Tom in particular for such a great tool.
We have been using it to manage security for a set of VMs running
applications
with docker-compose. Almost all of our hosts have a single external
network
interface; this is perhaps not the use case for which shorewall was
designed
but it has been working for us so far.
We now have a scenario which is proving more difficult: we want to
access a
service running on a host from within a container.
We have tried the most open configuration possible - a policy with
all:all
ACCEPT and no rules; it seems the service is accessible from anywhere
except
inside the docker container.
Accessing the service from inside the container results in timeouts,
so presumably
the packets are being dropped somewhere. We tried ping, ssh (on
standard ports)
and an http service running on a high port number.
Zone configuration:
root@dhit-disposable01:/etc/shorewall# cat zones
###############################################################################
#ZONE TYPE OPTIONS
IN OUT
#
OPTIONS OPTIONS
fw firewall
net ipv4
dock ipv4
Interface configuration:
root@dhit-disposable01:/etc/shorewall# cat interfaces
###############################################################################
?FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
net eth physical=eth+,dhcp,nosmurfs
net en physical=en+,dhcp,nosmurfs
dock docker0 physical=docker+,routeback=1
dock br physical=br-+,routeback=1
Policy configuration:
root@dhit-disposable01:/etc/shorewall# cat policy
#SOURCE DEST POLICY LOGLEVEL LIMIT
all all ACCEPT
Rules configuration:
root@dhit-disposable01:/etc/shorewall# cat rules
#ACTION SOURCE DEST PROTO DPORT
# No rules
Docker configuration as per shorewall.conf
root@dhit-disposable01:/etc/shorewall# grep -i docker shorewall.conf
# Default shorewall config, except for DOCKER=Yes (and this comment).
DOCKER=Yes
DOCKER_BRIDGE=docker0
I did shorewall compile, safe-reload and then restarted the docker
deamon but
the packets still seem to be being dropped. I tried iptables-tracer
[1] to get some
info on where they disappear and it seems packets are being dropped
on the
return path.
I checked the documentation and could not find any answer in the
FAQs. I
could not generate a shorewall dump as we are using journald rather
than
syslog and it's unclear to me how such a dump can be generated in
this case.
Happy to provide further information as required.
Any thoughts/pointers appreciated...
Best rgds,
Sean.
[1] https://github.com/x-way/iptables-tracer
__________________________________
Sean Murphy
Senior Platform Engineer
sean.mur...@datahouse.ch
T +41 44 289-84-22
www.datahouse.ch
Linkedin:
https://www.linkedin.com/company/wuestpartner/posts/?feedView=all&viewAsMember=true
YouTube: https://www.youtube.com/channel/UC4Esiu5N_zg2JRERufw5HvA
__________________________________
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
