none
What is default firewall behavior inside container RRS feed

  • Question

  • When we start the container what is default firewall behaviour. Is all the ports are open  by default or firewalll blocks all the ports?

    Do we need to create new Firewall rule to open the specific port if firewall blocks all the port by default ?

    Few more questions:

    1. This one of stupid question. As we create image thru windowsservercore, is image created with Firewall by default? Or Firewall is not installed by default as it is one of Just enough Operating Systems
    2. I created nginx container and was running in container hosts. I dint explicitly open port 80 inside my container. But i opened port 80 of container host. In this case i was able to access nginx container from outside container host even though i have not opened explicit port 80 inside the container
    3. When we run commmands like New-NetFirewallRule or  Get-NetFirewallRule they are failing inside the container.

    regards,

    ilan

    Thursday, August 27, 2015 4:10 AM

Answers

  • This is correct.  Fundamentally - there is only one firewall on the system.  At this point in time we are missing the ability to control the firewall on a per container basis (this is planned) so when you open up a port in the container host - it is opened for all containers.

    This posting is provided AS IS with no warranties, and confers no rights. You assume all risk for your use.

    • Marked as answer by Ilan_g Friday, August 28, 2015 10:09 AM
    Friday, August 28, 2015 9:09 AM
  • I am finding something weird or I dont know that is expected behavior.

    What ever firewall rule I set in container host is getting propagated to my container. 

    I started my nginx container and it is running nginx in port 80. I am not able to telnet or connect to the nginx server running inside my nginx container from the container host. But when i create new rule in container host to enable port 80 for my container host (only for container host and not inside my nginx container) then I am able to access nginx running inside my nginx container. 

    Same feature is observerd for my Mysql running in port 3306 inside container. 

    My understanding :

    What ever firewall rule set in container host is getting propagating to container. Based on the firewall rule on my container host, only those ports are opened from container. Please note this is apart from port expose.

    Probably some one from MSFT should validate this are i am making some terrible mistake in my understanding.

    regards

    ilan

     

    • Marked as answer by Ilan_g Friday, August 28, 2015 10:24 AM
    Thursday, August 27, 2015 6:59 AM

All replies

  • I am finding something weird or I dont know that is expected behavior.

    What ever firewall rule I set in container host is getting propagated to my container. 

    I started my nginx container and it is running nginx in port 80. I am not able to telnet or connect to the nginx server running inside my nginx container from the container host. But when i create new rule in container host to enable port 80 for my container host (only for container host and not inside my nginx container) then I am able to access nginx running inside my nginx container. 

    Same feature is observerd for my Mysql running in port 3306 inside container. 

    My understanding :

    What ever firewall rule set in container host is getting propagating to container. Based on the firewall rule on my container host, only those ports are opened from container. Please note this is apart from port expose.

    Probably some one from MSFT should validate this are i am making some terrible mistake in my understanding.

    regards

    ilan

     

    • Marked as answer by Ilan_g Friday, August 28, 2015 10:24 AM
    Thursday, August 27, 2015 6:59 AM
  • This is correct.  Fundamentally - there is only one firewall on the system.  At this point in time we are missing the ability to control the firewall on a per container basis (this is planned) so when you open up a port in the container host - it is opened for all containers.

    This posting is provided AS IS with no warranties, and confers no rights. You assume all risk for your use.

    • Marked as answer by Ilan_g Friday, August 28, 2015 10:09 AM
    Friday, August 28, 2015 9:09 AM
  • Ben,

    Thanks for your reply. Probably it will be great if this specified in Work around document which you are maintaining. I dont see in any place and it took me considerable amount of time to assume this.

    BTW Just want to let you know, this breaks one of the important virtue of Docker, Container portable. I remember in one of the post Docker CTO mentioning container should work just like that when we move from one env to other env with out depending on any of the external env (in linux world). Probably here I see container depends upon Firewall rule of the host in which it is running. I am mentioning of accessing container from host.

    I know this is Test Preview and you are burning midnight oil to bring to good shape, but just want to let you know even this small feature breaks portability.

    Again thanks for clarifying and please kindly update in WorkAround so other people can take note of it.

    Probably you should mark my previous post as an answer, so that will be help to increase my point :) .. Just kidding 


    • Edited by Ilan_g Friday, August 28, 2015 10:26 AM
    Friday, August 28, 2015 10:17 AM
  • Are there any updates on the ability to control the firewall on a per container basis?
    • Edited by Jadeja Monday, December 4, 2017 11:50 AM
    Monday, December 4, 2017 11:50 AM