Applying docker / discourse iptables rules when using csf firewall

hello again. using discourse running via docker on centos 7.4. i use csf via webmin as my firewall frontend.

so i’ve noticed that allowing csf to auto-update itself forces a csf restart each update which then breaks the docker’s networking until i restart docker, to have its own iptables rules re-applied. which ultimately causes issues with my instance of discourse.

i’ve read about using the built in csf function to define rules to be automatically applied at each csf restart.

how can i interpret the rules precisely as docker applies them to place into any suggestions? Thanks.

My suggestion would be to use Ubuntu.

What you describe isn’t really a Discourse issue, but a Docker and CentOS issue. Few people here use CentOS because of problems like this.

I’d recommend asking on a Docker or CentOS site.



thanks. i get that and have been told that. i’m not really suggesting that it was discourse’s problem. i’m really just asking in iptables speak, what are the discourse rules applied, as they pertain to using discourse, to the iptables firewall that i can then transpose into the csf file myself for pre-loading?

or is that simply a bad question on my part?


It’s a bad question here because Discourse does nothing with iptables. (It seems like a very good question somewhere else, though!)

pfaffman@balloon:~/src/discourse_docker$ sudo find .  -type f -exec grep -l iptables \{\} \;                                            
pfaffman@balloon:~/src/discourse$ sudo find .  -type f -exec grep -l iptables \{\} \;

I was looking for information on how to get CSF/LFD to track failed logins on Discourse when I ran across your post.
While it may not be the most preferable solution, you could use csfpost to restart docker each time csf restarts with the following. I have been using it for a while now.

cat /etc/csf/

systemctl restart docker

Thank you for your idea. I instead moved the site to Ubuntu as it is the recommended platform anyway for discourse and now use ufw instead. This works just fine for me. No more firewall issues.