Possible bug in NethServer docker firewall handling

Dear all,

I just installed nethserver-docker and portainer and noticed that if I edit the firewall rules from cockpit and apply them, all the containers in aqua (I’m currently using only aqua) become unable to talk to each other until I run signal-event nethserver-docker-update . Have I missed something?


I’m even unable to expose a port of a container in aqua: if I create a Port forward it seems not to be working and if I create it via Docker I am unable to manage firewall rules on that port.

For docker the Neth firewall UI does not work. You need to set it on command line, see Documentation.
A docker port redirect in combination with a Neth port forward or reverse proxy should work.

1 Like

Hi @mrmarkuz,

i might not have fully understood what you’re telling me to do.
Should I

  • create the port exposure via Docker/Portainer
  • create a local rule from Neths firewall? How? There isn’t any service and I can’t create it since it’s not systemd-linked.


Use the docker published port to get a local port.
Then you may port forward/reverse proxy to the published local port.
You may need to open the port, see services chapter in devel docs.

Hi Mark,

sorry if I’m always late in answering this topic.
Now I:

  • created a new network service and linked it to the ports i need:
config set zabbix-server service status enabled TCPPort 10051 UDPPort 10051 access green
/etc/e-smith/db/configuration/defaults# mkdir zabbix-server && cd zabbix-server
echo service > type
echo enabled > status
  • added the port export from portainer

but now the port is publicly accessible even though I added a local rule Deny from to service zabbix-server.
It seems too that I can still reproduce the bug mentioned before: if I have a firewall adjust, containers can’t talk to each other until I have a nethserver-docker-update too.


Just tried port-forwarding via NethServer firewall to the acqua’s container IP and didn’t get any result.

Just to recap:
You are running zabbix as docker container and want to open its port 10051 to the green network?

Do you use following docker image?

I’ll try to reproduce asap.

Yes, I’m using zabbix/zabbix-server-pgsql:ubuntu-5.2-latest and zabbix/zabbix-web-apache-pgsql:ubuntu-latest. When reconfiguring the firewall, Zabbix Web says the server is down even though the container is running. In fact, pinging from web to server won’t produce any effect.
About the port forwarding: should, IMHO, be reproducible with every service running in docker.
Thank you for your effort,


I could reproduce the issue and I think it’s a bug.
One needs to run signal-event nethserver-docker-update after signal-event firewall-adjust to add docker specific rules to let the containers talk to each other:

[root@testserver ~]# diff shorewall_show_before_firewall_adjust shorewall_show_after_firewall_adjust
< Chain DOCKER (3 references)
> Chain DOCKER (2 references)
<   293 79888 ACCEPT     tcp  --  !aqua0 aqua0             tcp dpt:8080
<    15   981 ACCEPT     tcp  --  !aqua0 aqua0             tcp dpt:10051
< Chain DOCKER-ISOLATION-STAGE-1 (1 references)
<  pkts bytes target     prot opt in     out     source               destination
<    14  1393 DOCKER-ISOLATION-STAGE-2  all  --  aqua0  !aqua0  
<     0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  
<    96 14549 RETURN     all  --  *      *  
< Chain DOCKER-ISOLATION-STAGE-2 (2 references)
<  pkts bytes target     prot opt in     out     source               destination
<     0     0 DROP       all  --  *      aqua0  
<     0     0 DROP       all  --  *      docker0  
<    14  1393 RETURN     all  --  *      *  

I think the firewall-adjust event should run the nethserver-docker-interface-update-restart-docker action like it is done in the interface-update event. @stephdl, what do you think?

You may test it with

ln -s /etc/e-smith/events/actions/nethserver-docker-interface-update-restart-docker /etc/e-smith/events/firewall-adjust/S99nethserver-docker-interface-update-restart-docker

and reconfigure the firewall and now the web container should still be able to reach the server container.
If something went wrong just remove /etc/e-smith/events/firewall-adjust/S99nethserver-docker-interface-update-restart-docker.

Yes, you’re right. It does not work to port forward to a container with aqua but you may use the docker port redirect/publish instead. Or you use macvlan or aeria networking instead of aqua.

It seems the docker published port overrules the service. I need to check…


let me check

true bug, once the firewall-adjust event is triggered the docker cannot ping each other on the aqua network

docker run  -dit --name nginx-test-02 --net=aqua --ip= --restart=unless-stopped nginx:alpine nginx-debug -g 'daemon off;'
docker run  -dit --name nginx-test-03 --net=aqua --ip= --restart=unless-stopped nginx:alpine nginx-debug -g 'daemon off;'

then start a shell in a container

docker exec -ti nginx-test-02 /bin/sh

and ping the container nginx-test-03


if your trigger the firewall-adjust the container stops to ping the other container until you restart docker

Right the shorewall restart remove all rules in iptables relative to docker, this is the same behavior

we could add it @mrmarkuz, but in fact this is done by the shorewall restart .

My concerns

The event firewall-adjust does not use systemctl to restart shorewall but the built in command shorewall restart : /etc/e-smith/events/nethserver-firewall-base-save/S89nethserver-shorewall-restart
Someone could restart manually shorewall and we will have the same issue. Either by systemctl or by shorewall binary itself

1 Like

in docker service, if systemd restarts shorewall, then we restart docker

1 Like
1 Like

released as nethserver-docker-1.0.9-1