Thank you so much for your explanations! I've noticed that my Docker doing something that I don't want it to do with the firewall. So, I've started to look around the web to find some info on that, and I've found it on your channel! After looking at Docker documentation I've got the idea what to do with that.
Great info, I did not know this, Thanks. @18:36 - ip blocking is never a good thing if any of the container use Let's Encrypt. it's best to look at allowing ports first, then ports + IP-Address, then ip-address , then drop everything after.
The way I did it on my VPS was to only expose rather than open ports in Docker. That way I could proxy to them OK but was only opening the secure ports. For Portainer I then bound it to localhost and did a port forward over SSH for port 9000 - that way it can only be accessed when an SSH session is in progress. I could have proxied it instead but I wanted to access it even if the npm container was down, etc.
I trust the people (my family, guests that use our Wi-Fi…) in my LAN. What I don’t trust are sketchy apps they might be running that scan the local subnet, or even nefarious apps, viruses, or malware that might try an automated hack on any exposed services. It drives me nuts that Docker inserts its own chains.
If you are using docker it is worth fighting with the Traefik docs as this provides a good integrated reverse proxy. Once you get the hang of it you can define everything with the docker-compose.yml file and do things like restrict traffic sources to just Cloudflare nodes without having to fight with the OS firewall.
I keep meaning to tackle traefik, and the @IBRACORP guys have done it recently with a great walk through. I'm trying to absorb it. For me, and my simpler self-hosting needs, NGinx Proxy Manager is doing great though.
@@AwesomeOpenSource Having spent the last few months getting it to a point where I am happy with the results, I can say it is not an easy tool, but the results are worth it if you are looking to deploy 'infrastructure as code' rather than 'setup by gui'.
You can definitely accidentally block everything if you;re not careful. Just go back through and re-check everything. Think of each connection (in and out) as a pipe with water in it, and imagine each point where you have a network intersection is a control valve. You can set it to allow no water through at all, or maybe just a little (certain ports). Maybe it will click with you where you have the valve completely shut. If nothing else, jump over to discuss.opensourceisawesome.com, and drop a message in the General channel. Usually a few people over there willing to help (including me).
11.51 you enabled http and https like you are accepting that traffic from outside to inside the VM (since it is an inbound rule) Where exactly did you specify to prevent access ? You didn t edit a rule to create custom options you just enabled a preselected profile. Ho w is the viewer supposed to know what this does?
Sorry, by enabling the firewall on the VPS, it blocks all access by default. That's why we setup our exceptions first. I guess I wasn't clear enough with that. In some firewalls, you do need to block inbound with a DROP or DENY rule first, then allow exceptions, but in this case DENY is the default state.
Finally , I was able to solve it. If anyone is on same boat, here is amazing explanation: Docker Punching Holes Through Your VPS Firewall? This Is How I Solved It Channel Name: Danie van der Merwe Hope this helps someone.
In theory, you could setup a VPS with firewall software, and then use it as the gateway for your other servers, Essentially setting up a VPC network...or jump over to cloudflare and check out their free offering to set in front of your apps, and close any ports through cloudflare.
That is my desk chair. I swear I want to make a drinking game out of my chair popping, but I'm worried no one would ever make it through a video! Hahahahah.
@@AwesomeOpenSource No, that can't be it. Listen at 0:40 and 1:35. You saying Ports and oPen is banging my subwoofer. :-D The section where you thank the patreons (4:15) is also much quieter (read: better). I think some levels got messed up.
I tried Red Hat's Podman which runs containers with a rootless user but I ran into too many issues. Unfortunately the eco system is nothing like that for Docker and if you're not a network guru I found it is best to stick to Docker. And then I found Docker introduced a rootless mode which is what I use. I run the ufw package on the same host and it blocks the outbound ports as expected. I'm not sure if Docker's rootless mode works differently with IP tables but I've had no problems so far.
I do think there is a problem with running cloudflare firewall only. Your securing all traffic that goes through your domain bit if someone trys to connect to the public ip, cloudflare can't intersect
Thank you so much for your explanations! I've noticed that my Docker doing something that I don't want it to do with the firewall. So, I've started to look around the web to find some info on that, and I've found it on your channel! After looking at Docker documentation I've got the idea what to do with that.
Glad I could help.
Great info, I did not know this, Thanks.
@18:36 - ip blocking is never a good thing if any of the container use Let's Encrypt.
it's best to look at allowing ports first, then ports + IP-Address, then ip-address , then drop everything after.
Thanks, great info!
Hello, from San Angelo! Great information and walkthrough.
Glad you like it. I went to Angelo State for my undergrad!
As always, a god methodical and pedagogic video and right in time (as for me ;-) )
a minor issue, you have a space in front of the time tag (last 3 lines) in the description
@@MatsK007 Thank you. I'll try to get that fixed.
I appreciate it.
The way I did it on my VPS was to only expose rather than open ports in Docker. That way I could proxy to them OK but was only opening the secure ports. For Portainer I then bound it to localhost and did a port forward over SSH for port 9000 - that way it can only be accessed when an SSH session is in progress. I could have proxied it instead but I wanted to access it even if the npm container was down, etc.
Nice tip. Thank you.
Great video. Very informative and well explained. :-)
Thank you!
Thank you.
You're welcome!
I trust the people (my family, guests that use our Wi-Fi…) in my LAN. What I don’t trust are sketchy apps they might be running that scan the local subnet, or even nefarious apps, viruses, or malware that might try an automated hack on any exposed services. It drives me nuts that Docker inserts its own chains.
Yeah, a bit of a downfall for sure, but can be mitigated.
If you are using docker it is worth fighting with the Traefik docs as this provides a good integrated reverse proxy. Once you get the hang of it you can define everything with the docker-compose.yml file and do things like restrict traffic sources to just Cloudflare nodes without having to fight with the OS firewall.
I keep meaning to tackle traefik, and the @IBRACORP guys have done it recently with a great walk through. I'm trying to absorb it. For me, and my simpler self-hosting needs, NGinx Proxy Manager is doing great though.
@@AwesomeOpenSource Having spent the last few months getting it to a point where I am happy with the results, I can say it is not an easy tool, but the results are worth it if you are looking to deploy 'infrastructure as code' rather than 'setup by gui'.
Great video!!
Thank you so much!
I don't get it. I added the fix and it works but now I don't have any internet connection inside my containers. It blocks everything.
You can definitely accidentally block everything if you;re not careful. Just go back through and re-check everything. Think of each connection (in and out) as a pipe with water in it, and imagine each point where you have a network intersection is a control valve. You can set it to allow no water through at all, or maybe just a little (certain ports). Maybe it will click with you where you have the valve completely shut. If nothing else, jump over to discuss.opensourceisawesome.com, and drop a message in the General channel. Usually a few people over there willing to help (including me).
Normal stuff that everyone should be implementing on a docker host. 👍
Absolutely!
11.51 you enabled http and https like you are accepting that traffic from outside to inside the VM (since it is an inbound rule) Where exactly did you specify to prevent access ? You didn t edit a rule to create custom options you just enabled a preselected profile. Ho w is the viewer supposed to know what this does?
Sorry, by enabling the firewall on the VPS, it blocks all access by default. That's why we setup our exceptions first. I guess I wasn't clear enough with that. In some firewalls, you do need to block inbound with a DROP or DENY rule first, then allow exceptions, but in this case DENY is the default state.
My VPS doesn't support Firewall option. Can we do the same using UFW on VPS server?
Any pointers to configure that?
Finally , I was able to solve it.
If anyone is on same boat, here is amazing explanation:
Docker Punching Holes Through Your VPS Firewall? This Is How I Solved It
Channel Name:
Danie van der Merwe
Hope this helps someone.
In theory, you could setup a VPS with firewall software, and then use it as the gateway for your other servers, Essentially setting up a VPC network...or jump over to cloudflare and check out their free offering to set in front of your apps, and close any ports through cloudflare.
Watch your mic-popping, please. You're waking my neighbors with the popping bass. ;-)
That is my desk chair. I swear I want to make a drinking game out of my chair popping, but I'm worried no one would ever make it through a video! Hahahahah.
@@AwesomeOpenSource No, that can't be it. Listen at 0:40 and 1:35. You saying Ports and oPen is banging my subwoofer. :-D The section where you thank the patreons (4:15) is also much quieter (read: better). I think some levels got messed up.
@@IgnoreMyChan ohhhh..hmmm I swear I adjusted my mic not long ago, not sure why it’s through the roof again. I’ll check it. Thank you.
@@AwesomeOpenSource No, thank you! Your content is just like Open Source: Awesome. :-)
I tried Red Hat's Podman which runs containers with a rootless user but I ran into too many issues. Unfortunately the eco system is nothing like that for Docker and if you're not a network guru I found it is best to stick to Docker. And then I found Docker introduced a rootless mode which is what I use. I run the ufw package on the same host and it blocks the outbound ports as expected. I'm not sure if Docker's rootless mode works differently with IP tables but I've had no problems so far.
Good to know, thanks for sharing.
Do you know of any IT/pc-parts inventory web interface application in docker ????
Inventory for IT assets? It seems like I've seen some in the past, but I'd have to look to see what I can find. Let me know if this is what you mean.
Whalewall is a docker firewall that does this sort of thing too
Interesting, I'll have to check that out!
I do think there is a problem with running cloudflare firewall only. Your securing all traffic that goes through your domain bit if someone trys to connect to the public ip, cloudflare can't intersect
Correct, it’s not the only mitigation, but a piece of a more full security solution.
Your tutorial would be much much better if you would bring the audiences through via conceptualized connecting chart.
Great idea! Thank you, I'll try to get that added for future network-ish type things.
nice to vlog
Thank you.
U do dns, names fill in the ip and u are still getting there
On the public ip of the vps
Apologies, I don't understand the comment.
@@AwesomeOpenSource well if u use cloudflare if u know the ip then u can still reach the vps
There comes the hacker scans the whole range of open ocean or where the vps is u can stil get to the ip