alt Hacker NewsLike the known Docker "feature" that it completely bypasses UFW and unless your ports look like "- 127.0.0.1:PORT:PORT" (and many of the examples use "-PORT:PORT") you expose everything to the internet?
Like the known Docker "feature" that it completely bypasses UFW and unless your ports look like "- 127.0.0.1:PORT:PORT" (and many of the examples use "-PORT:PORT") you expose everything to the internet?
My understanding is that docker will expose the ports to the host machine's network interfaces, which is a crucial difference. For my home server running docker that means exposed to the LAN, but not the WAN unless I add in a port forwarding rule on my router. Similarly in an enterprise environment you would be exposing the port on whatever VLAN the host is connected to, which hopefully doesn't have directly transit to the open internet.
Anything you're running on the perimeter with open access to the internet in an enterprise environment probably (hopefully) isn't running docker containers without some additional config and protections.