0

Currently I am working on a project where I have to dockerize an application that is supposed to be running on Windows. It is an application that can be installed and configured via command line. The question is applicable to any application in the end.

The platform of my choice is obviously Windows. Therefore I have chosen a base image mcr.microsoft.com/windows/servercore:1803 to begin with.

After installation my application will need a rule added to Firewall. So I decided to test whether I am able to manipulate the firewall inside a container. It turned out a very problematic experience.

What I've done so far.

FROM mcr.microsoft.com/windows/servercore:1803

# Add user 
RUN net user /add MyUser
RUN net user MyUser ABCdef123!
RUN net localgroup "Administrators" MyUser /add

After that I have tested whether I can see the FW rules by calling Get-NetFirewallRule. Tis resulted in an error :

Get-NetFirewallRule : There are no more endpoints available from the endpoint mapper.
At line:1 char:1
+ Get-NetFirewallRule
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (MSFT_NetFirewallRule:root/standardcimv2/MSFT_NetFirewallRule) [Get-NetFirewallRule], CimException
    + FullyQualifiedErrorId : Windows System Error 1753,Get-NetFirewallRule

I checked the services that run currently by calling Get-Service which resulted in the list of services containing this line: Stopped mpssvc Windows Defender Firewall. Looks like the FW is not even started. I decided to dig deeper and check registry for some clues. Calling this cmd REG QUERY HKLM\SYSTEM\CurrentControlSet\services\MpsSvc /v Start gave me a value of 4 which is Disabled. So i tried to enable it, setting it to 2 but no luck starting the service after:

REG ADD HKLM\SYSTEM\CurrentControlSet\services\MpsSvc /v Start /t REG_DWORD /d 2 /f
net start MpsSvc

Result:

System error 1058 has occurred.
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

The dependent to FW services are running fine (BFE, RDC etc) It just wont start.

Any clues from bright minds? Thanks in advance!

George Vasilchenko
  • 131
  • 3
  • 16
  • did you ever find a solution? I'm assuming it's disabled because containers are stateless and ports are exposed by container config – goofology Feb 19 '22 at 22:21

1 Answers1

1

Assuming you use Windows Server Container, not Hyper-V Container, you have a shared Kernel hence use the Host's firewall.

From Network Isolation and Security:

Depending on which container and network driver is used, port ACLs are enforced by a combination of the Windows Firewall and VFP.

Windows Server containers

These use the Windows hosts' firewall (enlightened with network namespaces) as well as VFP

Default Outbound: ALLOW ALL

Default Inbound: ALLOW ALL (TCP, UDP, ICMP, IGMP) unsolicited network traffic

DENY ALL other network traffic not from these protocols

vrdse
  • 2,899
  • 10
  • 20
  • thank you for the suggestion. I am quite new to all this isolation and containers. How can I check whether I use hyper-v or windows server container? – George Vasilchenko Nov 26 '18 at 17:04
  • 1
    Windows Server Container is the default. You have a Hyper-V container if you created it with `--isolation=hyperv` – vrdse Nov 26 '18 at 17:09
  • The application I am going to containerize requires a FW permission on the first run. It's that popup dialog where you confirm the permission. I am a bit in doubt about the actual behavior when the app will run in a container. Since the FW, as you say, is sort of inherited from a host, then how would that rule be requested/added? There is no GUI to confirm, that's why my bet was to define it up in front. Imagine there is no control over the host's FW either, then how would the FW for such app be configured..? – George Vasilchenko Nov 26 '18 at 19:25
  • The Firewall is not configured by the App. You have to configure it in the host. These pop-ups help to simplify configuration and don't work inside containers. – vrdse Nov 26 '18 at 20:23
  • necroposting - it appears it's not possible to enable firewall on either windows-server container or hyper-v isolated containers – goofology Feb 19 '22 at 22:21