[CentOS] PostgreSQL port accessible even though it should be blocked by firewall

Tue Oct 30 15:34:17 UTC 2018
Frank Thommen <list.centos at drosera.ch>

On 10/29/2018 08:43 PM, Keith Keller wrote:
> On 2018-10-29, Frank Thommen <list.centos at drosera.ch> wrote:
>> PostgreSQL is running in a docker container:
>> $ docker ps
>> CONTAINER ID        IMAGE                         COMMAND
>>     CREATED             STATUS              PORTS                    NAMES
>> 6f11fc41d2f0        postgres                  "docker-entrypoint..."   4
>> days ago          Up 4 days >5432/tcp   postgres
>> $
>> The various docker interfaces and virtual bridges are not assigned to
>> any specific zone.
>> Why is port 5432/tcp open?
> It may be Docker manipulating the iptables rules.  If you don't want it
> open at all, remove the port argument from the docker run command line
> (or moral equivalent) and recreate the container (make sure you have
> saved your data first, either with a volume mount or by dumping first).

Unfortunately I can't control how users start their containers and I 
cannot force them not to forward ports.  But I will see if I can prevent 
Docker from manipulating iptables as described in the very helpful link 

> If you need something more complex, here's some docs on how Docker
> interacts with iptables, and how you can insert rules into its chains:
> https://docs.docker.com/network/iptables/
> --keith