Possible bug in NethServer docker firewall handling

Dear all,

I just installed nethserver-docker and portainer and noticed that if I edit the firewall rules from cockpit and apply them, all the containers in aqua (I’m currently using only aqua) become unable to talk to each other until I run signal-event nethserver-docker-update . Have I missed something?

Thanks,

I’m even unable to expose a port of a container in aqua: if I create a Port forward it seems not to be working and if I create it via Docker I am unable to manage firewall rules on that port.

For docker the Neth firewall UI does not work. You need to set it on command line, see Documentation.
A docker port redirect in combination with a Neth port forward or reverse proxy should work.

1 Like

Hi @mrmarkuz,

i might not have fully understood what you’re telling me to do.
Should I

  • create the port exposure via Docker/Portainer
  • create a local rule from Neths firewall? How? There isn’t any service and I can’t create it since it’s not systemd-linked.

Thanks,

Use the docker published port to get a local port.
Then you may port forward/reverse proxy to the published local port.
You may need to open the port, see services chapter in devel docs.

Hi Mark,

sorry if I’m always late in answering this topic.
Now I:

  • created a new network service and linked it to the ports i need:
config set zabbix-server service status enabled TCPPort 10051 UDPPort 10051 access green
/etc/e-smith/db/configuration/defaults# mkdir zabbix-server && cd zabbix-server
echo service > type
echo enabled > status
  • added the port export from portainer

but now the port is publicly accessible even though I added a local rule Deny from 0.0.0.0/0 to service zabbix-server.
It seems too that I can still reproduce the bug mentioned before: if I have a firewall adjust, containers can’t talk to each other until I have a nethserver-docker-update too.

Thanks,

Just tried port-forwarding via NethServer firewall to the acqua’s container IP and didn’t get any result.

Just to recap:
You are running zabbix as docker container and want to open its port 10051 to the green network?

Do you use following docker image?

I’ll try to reproduce asap.

Yes, I’m using zabbix/zabbix-server-pgsql:ubuntu-5.2-latest and zabbix/zabbix-web-apache-pgsql:ubuntu-latest. When reconfiguring the firewall, Zabbix Web says the server is down even though the container is running. In fact, pinging from web to server won’t produce any effect.
About the port forwarding: should, IMHO, be reproducible with every service running in docker.
Thank you for your effort,

1 Like