Does Discourse Docker automatically configure firewall too?


(Aahan Krish) #1

Does Discourse Docker automatically configure firewall too? If yes, what does it configure, iptables or ufw?

If no, which is recommended, iptables or ufw?


#2

UFW is basically a “front-end” to iptables, so you can feel free to use whichever’s easiest/expressive enough for you. As for whether Discourse configures it; I checked on my own install (ufw status) and it didn’t seem to have configured anything. In the container itself, iptables and ufw were not available (so I did it myself on the host).

Example output of basic systems exposed (HTTP, HTTPS, SSH) with ufw allow 80/tcp etc:

80/tcp              ALLOW       Anywhere
443/tcp             ALLOW       Anywhere
22/tcp              ALLOW       Anywhere
80/tcp (v6)         ALLOW       Anywhere (v6)
443/tcp (v6)        ALLOW       Anywhere (v6)
22/tcp (v6)         ALLOW       Anywhere (v6)

(Aahan Krish) #3

ufw seems simpler. Hmm, I’ll look into it. Meanwhile, this is my iptables config:

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Source: https://library.linode.com/securing-your-server#sph_creating-a-firewall


(Sam Saffron) #4

ufw / iptables is external to docker, that said I am open to launcher checking for some level of sanity and warning you if no firewall is configured, but it gets tricky.


(Aahan Krish) #5

Wouldn’t simply including the basic config. in the installation tutorial do? (or maybe posting one in the how-tos section would?)


(Jeff Atwood) #6

Part of this depends how secure the default recommended Ubuntu Server 14.04 LTS install is when connected to the Internet. I sort of assume that, like Microsoft, they have learned to ship “secure by default” as the world basically ends if you don’t. (See: Windows XP)


(Sam Saffron) #7

Out of the box ubuntu ships with no firewall on, you would need to apt-get install ufw to get anything going (simplest route). We should definitely include something in our guide (cc @supermathie )


(Michael Brown) #8

Kiiiind of. By default, Docker messes with your firewall rules, ANY ports you forward get opened to the Internet at large.

I’ll do up a quick guide based on a DO default install that only allows SSH in and assumes Docker will add the http forward.


(Jeff Atwood) #9

What difference does it make if you “firewall” a port when no services are running on that port? So you are saying that Ubuntu Server 14.04 LTS ships insecure out of the box?


(Sam Saffron) #10

Yes, it most certainly does, as do pretty much all Linux distros, except for perhaps firewall appliance distros like say smoothwall.


(Jeff Atwood) #11

Still, odd, particularly on a server OS.

https://help.ubuntu.com/community/DoINeedAFirewall

The main argument seems to be “existing app or service gets compromised”, and “dumb server admin installs stuff that opens a bunch of ports unexpectedly”. Basically belt and suspenders security.

I still think if the :neckbeard:s thought a firewall was so critical it would be enabled by default on many if not all Linux server distros. It is on any remotely modern Windows, desktop or server…


Configure a firewall for Discourse
(Dave McClure) #12

Was this ever done? Not finding it, nor is anything in the default guide from what I can tell…

(bump! @sam @supermathie @techAPJ - any quick thoughts on this? )

I ended up just doing:

ufw allow http
ufw allow https
ufw allow ssh
ufw enable

(Michael Brown) #13

That looks good :smile:

I tend to drop in my own tenderly-maintained firewall rules via iptables-persistent but ufw is great for a quick and dirty solution.