On 31/10/18 18:32, Gordon Messmer wrote:
On 10/30/18 8:31 AM, Frank Thommen wrote:
I am still puzzled that it is possible to circumvent firewalld so easily. Basically it means, that firewalld is not to be trusted as soon as containers with port forwarding are running on a system.
It's hard to see this as a security or trust problem. The root user can modify the firewall, which is provided by the kernel. firewalld is just a front-end. Adding rules to the kernel's firewall is not "circumventing" the management front-end.
You do have to bear in mind that the firewall-cmd output reflects the *configuration* and not the *state*. When docker adds rules, it modifies the state, but not the configuration.
I see that (=have learned that :-) now, but for me it means, that firewalld-cmd is not to be trusted (even though it is the recommended tool to manage the local firewall). I'll have to go back and try to understand confusing and hard-to-understand iptables output. :-(