fosrl/docs
1
0
Fork 0
mirror of https://github.com/fosrl/docs.git synced 2025-05-12 21:30:43 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #13 from scetu/docker-bypass

Browse source 
add section about Docker's generated NAT rules  bypassing host firewall
This commit is contained in:
Owen Schwartz 2025-04-10 21:47:39 -04:00 committed by GitHub
commit a055d5240c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 11 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
packages/docusaurus/docs/02-Getting Started/02-dns-networking.md
View file

@ -38,7 +38,15 @@ If you intend to use the root of your domain, then you will need an additional A
## Ports to Expose ## Ports to Expose
When you setup your VPS you want to make sure that you expose the following ports **on the VPS itself**. :::warning
**Docker Port Exposure Caveat:**
Docker automatically creates iptables NAT rules when container ports are published (using `-p` or docker-compose). These rules can bypass host firewall settings (such as UFW or firewalld), causing ports to be accessible from external networks even if they arent explicitly allowed by your firewall. Always verify your exposed ports (e.g., with [nmap](https://nmap.org/) or [RustScan](https://github.com/bee-san/RustScan)) and ensure you only expose the ports that are absolutely necessary. For more details, see [Dockers port publishing documentation](https://docs.docker.com/engine/network/packet-filtering-firewalls/#port-publishing-and-mapping).
:::
Following ports should be exposed on Operating system level.
### TCP 80 ### TCP 80
@ -60,7 +68,7 @@ This is the default WireGuard port and is used for Newt and WireGuard clients to
:::warning :::warning
Its important to **ONLY** expose the ports you need. Effectively by tunneling out to the VPS you are including the VPS in your security boundary and should consider it part of your network and secure it as such. Its important to **ONLY** expose and verify exposed the ports you need. Effectively by tunneling out to the VPS you are including the VPS in your security boundary and should consider it part of your network and secure it as such.
::: :::

1
packages/docusaurus/docs/02-Getting Started/03-quick-install.md
View file

@ -9,6 +9,7 @@ import WgetQuickInstaller from "@site/src/components/WgetQuickInstaller";
- We recommend Ubuntu or Debian based systems - We recommend Ubuntu or Debian based systems
- [A domain name pointed to your server's IP address](./02-dns-networking.md) - [A domain name pointed to your server's IP address](./02-dns-networking.md)
- [TCP ports 80, 443, and UDP port 51820 exposed to your Linux instance.](./02-dns-networking.md) - [TCP ports 80, 443, and UDP port 51820 exposed to your Linux instance.](./02-dns-networking.md)
- **Note:** Dockers NAT-based port publishing feature automatically exposes all ports defined in `docker-compose` file. This behavior can bypass your host firewall settings, potentially exposing services that you did not intend to make public. It is important to review and manage these port configurations to minimize security risks.
- An email address for Let's Encrypt certificate registration - An email address for Let's Encrypt certificate registration
- (Optionally) a SMTP server - (Optionally) a SMTP server