The problem was using the -p
flag on containers.
It turns out that Docker makes changes directly on your iptables
, which are not shown with ufw status
.
Possible solutions are:
Stop using the -p
flag. Use docker linking or docker networks instead.
Bind containers locally so they are not exposed outside your machine:
docker run -p 127.0.0.1:8080:8080 ...
If you insist on using the -p
flag, tell docker not to touch your iptables
by disabling them in /etc/docker/daemon.json
and restarting:
{ "iptables" : false }
I recommend option 1 or 2. Beware that option 3 has side-effects, like containers becoming unable to connect to the internet.
ufw
is an uncomplicated configuration tool for firewalls. It is designed to be usable by people who have no experience with firewalls or want an uncomplicated way to modify the underlying iptables
and netfilter
rulesets.
For example:
ufw allow all port 22 traffic (UDP and TCP):
ufw allow 22
iptables allow port 22 traffic (UDP and TCP):
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 22 -j ACCEPT
Comparatively, ufw
permits users to modify the basic firewall needs with limited knowledge of iptables
or such.
It in and of itself only modifies iptables
/ netfilter
rules when 'enabled'. It does not run as its own process, in that sense, because the rules it applies are updated on the fly; I am fairly certain it doesn't continue to 'run'.
The only way I would consider ufw
to be a service is in that, at boot time, it may be able to restore whatever rules are defined in it. However, iptables-persistent
does the same thing, and is not really a service, therefore I do not consider ufw
a service, as such, as to determine if ufw
(that is, the actual firewall rules) are being enforced is with ufw status
.
As per the Community Help Documentation on ufw
, it says nothing about ufw
being a service, which seems to support this.
And through testing, I have confirmed that ufw
is just a less complicated way to 'configure' firewall rules - the real magic of ufw
is that it sets up iptables
/ netfilter
rules which you can then see with iptables -L
when ufw
is enabled.
Best Answer
I am trying to configure a media server in the local net. The server application that I am using is the MediaTomb. It was the single that allowed me to make transcoding of Theora/Vorbis to MP4/mp2.
Then I will configure the
ufw
according the tips of the MediaTomb's oficial website: "My UPnP player can not see MediaTomb, what is wrong?". Lacks me to know the syntax.Ref.: Problems allowing outgoing multicast in ufw
You need to know the ports and protocols — TCP and UDP, only? — that the service uses.