docker and ufw serious problems #4737
Description
Having installed ufw and blocking all incoming traffic by default (sudo ufw default deny) by running docker images that map the ports to my host machine, these mapped docker ports are accessible from outside, even though they are never allowed to be accessed.
Please note that on this machine DEFAULT_FORWARD_POLICY="ACCEPT" as described on this page http://docs.docker.io/en/latest/installation/ubuntulinux/#ufw has not been enabled and the property DEFAULT_FORWARD_POLICY="DROP" is still set.
Any ideas what might causing this?
Output of ufw status:
$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing) New profiles: skip To Action From -- ------ ---- 22 ALLOW IN Anywhere 443/tcp ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere 5666 ALLOW IN 95.xx.xx.xx 4949 ALLOW IN 95.xx.xx.xx 22 ALLOW IN Anywhere (v6) 443/tcp ALLOW IN Anywhere (v6) 80/tcp ALLOW IN Anywhere (v6)
Here is the output of my rabbitmq via docker ps:
cf4028680530 188.xxx.xx.xx:5000/rabbitmq:latest /bin/sh -c /usr/bin/ 5 weeks ago Up 5 days 0.0.0.0:15672->15672/tcp, 0.0.0.0:5672->5672/tcp ecstatic_darwin/rabbitmq,focused_torvalds/rabbitmq,rabbitmq,sharp_bohr/rabbitmq,trusting_pike/rabbitm
Nmap test:
nmap -P0 example.com -p 15672 Starting Nmap 5.21 ( http://nmap.org ) at 2014-03-18 11:27 CET Nmap scan report for example.com (188.xxx.xxx.xxx) Host is up (0.048s latency). PORT STATE SERVICE 15672/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
General infos:
- Ubuntu 12.04 server
$ uname -a Linux production 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 16:19:23 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux $ docker version Client version: 0.9.0 Go version (client): go1.2.1 Git commit (client): 2b3fdf2 Server version: 0.9.0 Git commit (server): 2b3fdf2 Go version (server): go1.2.1 Last stable version: 0.9.0 $ docker info Containers: 12 Images: 315 Driver: aufs Root Dir: /var/lib/docker/aufs Dirs: 339 WARNING: No swap limit support