Comment

Comment on Docker security

<- View Parent

slazer2au@lemmy.world ⁨1⁩ ⁨week⁩ ago

iptables and firewalld are not reliable

Can you give examples of that?

source

Sort:hotnew top

GreenKnight23@lemmy.world ⁨1⁩ ⁨week⁩ ago
anyone gaining physical or remote access to the device can set rules. by protecting the entire network with a hardware firewall you mitigate attack vectors from other hardware on your network that become compromised.

iptables and firewalld are notorious for locking users out of the system by overzealous or green system admins. in the msp world this happens practically by the hour.

iptables and firewalld can be used against you in the event of a breach. one of the first things an attacker may attempt is to forward ports and lock system admins out as they take over the system.

make sure you save your rules properly or they’ll be gone after a reboot or botched upgrade

migrating your rules from one system to another when you’re changing hardware or restoring a system is a huge pain in the ass.

got a network change that’s going to modify the subnet your systems are on? get ready to migrate all 15 of your devices one by one for the next 8-15 hours (depending on the complexity of your rules)

it’s far easier, and safer to have all your network config done in the network. from system migrations to securing/hardening. it’s far more efficient and effective to have a single source of truth that manages network routing and firewall rules. hell, you can even have a redundant or load balanced firewall configuration if you’re afraid of a single point of failure.

point is, firewalld and iptables is for amateur hour and hobbyists.

if you want to complain that “docker doesn’t respect system firewalls” then at least have the chutzpah enough to do it the right way from the beginning.
source
- slazer2au@lemmy.world ⁨1⁩ ⁨week⁩ ago
  None of those speak to the reliability of iptables. They all sound like skill issues.
  
  In 15 years of network engineering iptables has been the simplest part.
  
  A layered approach with hardware firewalls is valid but when those firewalls get popped, looking at you Cisco, Fortinet, and PA you still want host level restrictions.
  Your firewall or switch should never be used as a jump host to servers
  
  source
- atzanteol@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
  
  point is, firewalld and iptables is for amateur hour and hobbyists.
  
  Which is weird for you to say since practically all of the issues you list are mistakes that amateurs and hobbyists make.
  
  source
  - GreenKnight23@lemmy.world ⁨1⁩ ⁨week⁩ ago
    this is selfhosted. a community that’s predominantly amateur or hobbyist.
    
    source
    atzanteol@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
    But absolutely none of the issues you listed are issues with iptables.
    
    source
    -> View More Comments