ufw not reinserting rules #131
Description
Hi. Learned of ufw-docker after realizing I needed to figure out a way to protect containers from the outside. Found this project, installed and all looked well.
... Until, that is, I reboot the server containing the Docker host and all the containers and discover the rules have been obliterated from the running ufw install. However... I did note that after.rules still exists in /etc/ufw, as expected. Shouldn't this have been reapplied upon boot of the server and ufw starting up?
This's on a Proxmox server with Debian as the OS of choice for running the containers on Docker and this was working remarkably well... right up until said reboot.
ufw-docker install does nothing other than reinstall the existing after.rules, either. ufw-check reports the following:
root@server ➜ ~ ufw-docker install
--- /etc/ufw/after.rules 2025-04-09 03:25:34.978705941 -0600
+++ /tmp/tmp.YiTjLUHlvM 2025-04-09 04:20:14.531409871 -0600
@@ -28,3 +28,30 @@
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
+# BEGIN UFW AND DOCKER
+*filter
+:ufw-user-forward - [0:0]
+:ufw-docker-logging-deny - [0:0]
+:DOCKER-USER - [0:0]
+-A DOCKER-USER -j ufw-user-forward
+
+-A DOCKER-USER -j RETURN -s 10.0.0.0/8
+-A DOCKER-USER -j RETURN -s 172.16.0.0/12
+-A DOCKER-USER -j RETURN -s 192.168.0.0/16
+
+-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
+
+-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
+-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
+-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
+-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
+-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
+-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12
+
+-A DOCKER-USER -j RETURN
+
+-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
+-A ufw-docker-logging-deny -j DROP
+
+COMMIT
+# END UFW AND DOCKER
Backing up /etc/ufw/after.rules to /etc/ufw/after.rules-ufw-docker~2025-04-09-042014~
Please restart UFW service manually by using the following command:
sudo systemctl restart ufw
root@server ➜ ~ systemctl restart ufw
root@server ➜ ~ ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
root@server ➜ ~ ufw disable
Firewall stopped and disabled on system startup
root@server ➜ ~ ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
root@server ➜ ~ ufw-docker check
########## iptables -n -L DOCKER-USER ##########
Chain DOCKER-USER (1 references)
target prot opt source destination
ufw-user-forward 0 -- 0.0.0.0/0 0.0.0.0/0
RETURN 0 -- 10.0.0.0/8 0.0.0.0/0
RETURN 0 -- 172.16.0.0/12 0.0.0.0/0
RETURN 0 -- 192.168.0.0/16 0.0.0.0/0
RETURN 17 -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535
ufw-docker-logging-deny 6 -- 0.0.0.0/0 192.168.0.0/16 tcp flags:0x17/0x02
ufw-docker-logging-deny 6 -- 0.0.0.0/0 10.0.0.0/8 tcp flags:0x17/0x02
ufw-docker-logging-deny 6 -- 0.0.0.0/0 172.16.0.0/12 tcp flags:0x17/0x02
ufw-docker-logging-deny 17 -- 0.0.0.0/0 192.168.0.0/16 udp dpts:0:32767
ufw-docker-logging-deny 17 -- 0.0.0.0/0 10.0.0.0/8 udp dpts:0:32767
ufw-docker-logging-deny 17 -- 0.0.0.0/0 172.16.0.0/12 udp dpts:0:32767
RETURN 0 -- 0.0.0.0/0 0.0.0.0/0
########## diff /etc/ufw/after.rules ##########
Check done.
Previously, it would show the rules even in ufw status, but now just shows the following:
root@server ➜ ~ ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
Additionally, this also breaks Docker communication until ufw disable is used, rendering this script pointless if it's not successfully ensuring the rules are correctly restored during boot/start of a given server.