[kwlug-disc] Egress hole in Docker networking
Mikalai Birukou
mb at 3nsoft.com
Sat May 18 20:00:12 EDT 2019
Can a possible solution be in creating docker_gwbridge manually with
--opt com.docker.netwrk.bridge.enable_ip_masquerade=false ?
On 2019-05-18 7:31 p.m., Mikalai Birukou via kwlug-disc wrote:
> Imagine that you have a Docker stack of services, all connected to
> each other via internal (!) overlay networks.
>
> Let's say service X is connected only to internal (!) networks. If X
> is busted by hacker, can it phone home? It turns out that every
> service is attached to docker_gwbridge to provide egress.
>
> Docs claim that X can't talk to other containers on docker_gwbridge.
> But when it comes to the rest of one's internal network, filtering on
> each host of the swarm should be added.
>
> Should we simply ban all initiated outbound traffic on
> docker_gwbridge? It seems that published services have their inbound
> traffic also go via docker_gwbridge.
>
> 1) I just wanted to share this.
>
> 2) Has anyone see this? Have you plugged this egress hole efficiently,
> i.e. reasonable configs?
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
--
Mikalai Birukou
CEO | 3NSoft Inc.
More information about the kwlug-disc
mailing list