No internet connection
  1. Home
  2. Issues

Using firewalld instead of ufw

By Dashamir Hoxha @dashohoxha2021-03-31 05:02:58.948Z

I think that docker doesn't play well with ufw. It supports firewalld instead.
https://github.com/debiki/talkyard-prod-one/blob/master/scripts/start-firewall.sh#L15

  • 3 replies
  1. KajMagnus @KajMagnus2021-03-31 14:06:14.294Z2021-04-04 15:53:36.262Z

    Ok, seems like a good idea (after having read a bit about firewalld + Debian, Fedora, see below).

    What do you like better with firewalld / would you say doesn't work well with ufw + Docker?

    Personally I remember I was confused about having to do this, with ufw:

    # Make the firewall work with Docker: (not needed in Google Compute Engine)
    # 1) Change forward policy to accept: DEFAULT_FORWARD_POLICY="ACCEPT"
    sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/#&\n# This makes Docker work:\nDEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
    

    (in that start-firewall.sh script)

    ***

    I websearched for "systemd firewall", and yes maybe firewalld is "the future" — from the Debian wiki:

    ... Debian Buster [i.e. Debian 10] ...
    You should consider using a wrapper instead of writing your own firewalling scripts. It is recommended to run ?firewalld, which integrates pretty well into the system. See also https://firewalld.org/

    https://wiki.debian.org/nftables

    And an upvoted reply over at Reddit about ufw and firewalld:

    firewalld is probably going to become the standard IPC interface to iptables

    https://www.reddit.com/r/archlinux/comments/3aroy1/firewalld_vs_ufw/

    ***

    I'll make a note about probably recommending firewalld instead, in Ty tech stack version 1. (Currently at version 0)

    (I'll move this topic to the Ideas category. Update: I moved it back to Issues — there's a problem, see below)

    1. DDashamir Hoxha @dashohoxha2021-03-31 16:44:32.098Z

      The problem with ufw and docker is that ufw allow 80 does not do what you would expect. Personally I realized this too late. Here is a more detailed description: https://github.com/chaifeng/ufw-docker
      With simple docker setups probably this doesn't matter, but once you have multiple docker virtual networks you may find out that things do not work as you expect.

      firewalld maybe is a bit more complex than ufw, but it is very simple for basic usage. When you install it port 22 is allowed by default, and usually you don't need to do any extra configurations, especially related to docker. For example I usually do this: https://gitlab.com/dashohoxha/server-scripts/-/blob/master/scripts/ubuntu.sh#L25-28

      1. KajMagnus @KajMagnus2021-04-04 15:36:07.789Z2021-04-04 15:51:26.719Z

        Hi Dashamir, thanks for explaining. Hmm I'll edit the installation instructions and mention this now directly.

        (Edit: Now done. In https://github.com/debiki/talkyard-prod-one/ , the readme.)

    2. Progress
      with handling this problem
    3. @KajMagnus marked this topic as Planned 2021-03-31 14:08:07.445Z.