On 3/19/25 10:49, Sean Murphy via Shorewall-users wrote:
Hi all,,
We have been (ab)using shorewall for some years now and we're v happy with it -
thanks everyone and Tom in particular for such a great tool.
We have been using it to manage security for a set of VMs running applications
with docker-compose. Almost all of our hosts have a single external network
interface; this is perhaps not the use case for which shorewall was designed
but it has been working for us so far.
We now have a scenario which is proving more difficult: we want to access a
service running on a host from within a container.
We have tried the most open configuration possible - a policy with all:all
ACCEPT and no rules; it seems the service is accessible from anywhere except
inside the docker container.
Accessing the service from inside the container results in timeouts, so
presumably
the packets are being dropped somewhere. We tried ping, ssh (on standard ports)
and an http service running on a high port number.
Zone configuration:
root@dhit-disposable01:/etc/shorewall# cat zones
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS
OPTIONS
fw firewall
net ipv4
dock ipv4
Interface configuration:
root@dhit-disposable01:/etc/shorewall# cat interfaces
###############################################################################
?FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
net eth physical=eth+,dhcp,nosmurfs
net en physical=en+,dhcp,nosmurfs
dock docker0 physical=docker+,routeback=1
dock br physical=br-+,routeback=1
Policy configuration:
root@dhit-disposable01:/etc/shorewall# cat policy
#SOURCE DEST POLICY LOGLEVEL LIMIT
all all ACCEPT
Rules configuration:
root@dhit-disposable01:/etc/shorewall# cat rules
#ACTION SOURCE DEST PROTO DPORT
# No rules
Docker configuration as per shorewall.conf
root@dhit-disposable01:/etc/shorewall# grep -i docker shorewall.conf
# Default shorewall config, except for DOCKER=Yes (and this comment).
DOCKER=Yes
DOCKER_BRIDGE=docker0
I did shorewall compile, safe-reload and then restarted the docker deamon but
the packets still seem to be being dropped. I tried iptables-tracer [1] to get
some
info on where they disappear and it seems packets are being dropped on the
return path.
If you do a `shorewall clear`, does it work at all?
Note that the project is unmaintained.
--
Matt Darfeuille <m...@shorewall.org>
Unmaintained project, no more releases or bug fixes
Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
