Firewalld and Docker simple question

Hi all,
Can someone tell me why I can join a Nginx container hosted test page with the state of the rules below ? Is the docker zone allow everything .
I’m browsing with a computer in 10.10.192.0/24 network on the ens192 interface (ens224 is reserved for the public zone and is not reachable)
also from a computer in 10.10.50.0/24, there isn’t http access allowed in internal zone but it’s browsing well;
I don’t see what rule should allows that :confused:

firewall-cmd --list-all-zones 
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: docker0
  sources: 
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: no
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources: 10.10.50.0/24
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports: 2375/tcp
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

nm-shared
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcp dns ssh
  ports: 
  protocols: icmp ipv6-icmp
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule priority="32767" reject

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens224
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Edit :
NAME=“Rocky Linux”
VERSION=“8.7 (Green Obsidian)”
ID=“rocky”
4.18.0-425.10.1.el8_7.x86_64

The zone “docker” has target accept, i.e. it allows everything. A question is, who are in that zone?

The new twist is that the FirewallD finally supports policy objects. Those dictate traffic between zones.

Every packet that arrives via ens192 or has src in 10.10.50.0/24 is in zone ‘internal’.
If the packets are routed through docker0 to container, then internal->docker policy should determine whether they go through.

If the containers are actually bridged to outside, then packets are not routed and do not belong to internal zone either, as bridged traffic does not visit filter.

1 Like