[kwlug-disc] Egress hole in Docker networking
Mikalai Birukou
mb at 3nsoft.com
Sat May 18 19:31:32 EDT 2019
Imagine that you have a Docker stack of services, all connected to each
other via internal (!) overlay networks.
Let's say service X is connected only to internal (!) networks. If X is
busted by hacker, can it phone home? It turns out that every service is
attached to docker_gwbridge to provide egress.
Docs claim that X can't talk to other containers on docker_gwbridge. But
when it comes to the rest of one's internal network, filtering on each
host of the swarm should be added.
Should we simply ban all initiated outbound traffic on docker_gwbridge?
It seems that published services have their inbound traffic also go via
docker_gwbridge.
1) I just wanted to share this.
2) Has anyone see this? Have you plugged this egress hole efficiently,
i.e. reasonable configs?
More information about the kwlug-disc
mailing list