3

On a KVM guest of my RHEL8 host, whose KVM guest is running CentOS7, I was expecting firewalld to by default block outside access to an ephemeral port published to by a Docker Container running nginx. To my surprise the access ISN'T blocked.

Again, the host (myhost) is running RHEL8, and it has a KVM guest (myguest) running CentOS7.

The firewalld configuration on myguest is standard, nothin' fancy:

[root@myguest ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources:
  services: http https ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Here are the eth0 and eth1 interfaces that fall under the firewalld public zone:

[root@myguest ~]# ip a s dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:96:9c:fc brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.111/24 brd 192.168.100.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe96:9cfc/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
[root@myguest ~]# ip a s dev eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:66:6c:a1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.111/24 brd 192.168.1.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe66:6ca1/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

On myguest I'm running Docker, and the nginx container is publishing its Port 80 to an ephemeral port:

[me@myguest ~]$ docker container ps
CONTAINER ID   IMAGE     COMMAND                  CREATED             STATUS             PORTS                   NAMES
06471204f091   nginx     "/docker-entrypoint.…"   About an hour ago   Up About an hour   0.0.0.0:49154->80/tcp   focused_robinson

Notice that in the prior firewall-cmd output I was not permitting access via this ephemeral TCP Port 49154 (or to any other ephemeral ports for that matter). So, I was expecting that unless I did so, outside access to nginx would be blocked. But to my surprise, from another host in the home network running Windows, I was able to access it:

C:\Users\me>curl http://myguest:49154
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
.
.etc etc

If a container publishes its container port to an ephemeral one on the host (myguest in this case), shouldn't the host firewall utility protect access to that port in the same manner as it would a standard port? Am I missing something?

But I also noticed that in fact the nginx container is listening on a TCP6 socket:

[root@myguest ~]# netstat -tlpan | grep 49154
tcp6       0      0 :::49154                :::*                    LISTEN      23231/docker-proxy

It seems, then, that firewalld may not be blocking tcp6 sockets? I'm confused.

This is obviously not a production issue, nor something to lose sleep over. I'd just like to make sense of it. Thanks.

Howard Sherman
  • 31
  • 2

1 Answers1

0

The integration between docker and firewalld has changed over the years, but based on your OS versions and CLI output I think you can get the behavior you expect by setting AllowZoneDrifting=no it /etc/firewalld/firewalld.conf 1 on the RHEL-8 host.

Due to zone drifting, it possible for packets received in a zone with --set-target=default (e.g. public zone) to drift to a zone with --set-target=accept (e.g. trusted zone). This means FORWARDed packets received in zone public will be forwarded to zone trusted. If your docker containers are using a real bridge interface, then this issue may apply to your setup. Docker defaults to SNAT so usually this problem is hidden.

Newer firewalld 2 releases have completely removed this behavior, because as you have found it's both unexpected and a security issue.

erig
  • 131
  • 1
  • 3