Thanks all for providing some inputs here. We've found that there have been some changes to docker iptables rule management which have impacted us - see here: https://github.com/moby/moby/commit/c9fdeaf70e71506487244df4f6d586eb937981f4
At this point, we're not sure if we can find a workable solution for our context which combines shorewall and docker - I will update here if we do. BR, Sean. __________________________________ Sean Murphy Senior Platform Engineer sean.mur...@datahouse.ch T +41 44 289-84-22 www.datahouse.ch Linkedin | YouTube __________________________________ ________________________________________ From: Winston Sorfleet <w...@romanus.ca> Sent: Friday, March 21, 2025 11:53 PM To: shorewall-users@lists.sourceforge.net <shorewall-users@lists.sourceforge.net> Subject: Re: [Shorewall-users] Problems accessing host from docker container running on host [You don't often get email from w...@romanus.ca. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Vieri is right, I did miss the "all all ACCEPT" with the message thread truncation. Still... like Roger I would be a little more assured if Sean put in an explicit "dock fw ACCEPT" and "fw dock ACCEPT" just for testing. Particularly given the potential complication of a bridge interface. I am also sort of wondering if packets might be going out the "docker0" interface and back via "br" or vice-versa, which certainly a tcpdump -i any would show (I'd suggest putting some constraints around src, dst, and port or proto if you want to avoid a deluge of output). Also, you can try the "diff" thing also with "ip route show", and with "shorewall show routing", with shorewall running/clear, might give some clues. On 2025-03-21 10:42, Roger Hayter wrote: > ISTR ‘all’ doesn’t include the firewall unless you explicitly state it (or > use ‘all+’ but I’m less sure of this). So doesn’t there need to be a policy > of ‘dock’ to $FW ACCEPT? > > > -- > > Roger Hayter > > >> On 21 Mar 2025, at 13:08, Vieri Di Paola <vieridipa...@gmail.com> wrote: >> >> >> >> On Fri, Mar 21, 2025, 13:16 Winston Sorfleet <w...@romanus.ca> wrote: >> Well, it would seem to me that's the problem - your VM is in the Docker >> zone, and the host you want to access is in the Fw zone. >> >> But OP has 'all all ACCEPT' as policy. >> Try setting to 'all all ACCEPT INFO' and confirm in logs that you see the >> traffic you need. >> If outgoing ok but no reply, you might want to check routing tables. >> Are the replies routed back as expected to the right interface? >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
