[CentOS] PostgreSQL port accessible even though it should be blocked by firewall

Tue Oct 30 16:38:35 UTC 2018
mark <m.roth at 5-cent.us>

Frank Thommen wrote:
> On 10/29/2018 08:43 PM, Keith Keller wrote:
>> On 2018-10-29, Frank Thommen <list.centos at drosera.ch> wrote:
>>> PostgreSQL is running in a docker container:
>>> $ docker ps
>>> CONTAINER ID        IMAGE                         COMMAND
>>> CREATED             STATUS              PORTS                    NAMES
>>>  6f11fc41d2f0        postgres                  "docker-entrypoint..."
>>> 4
>>> days ago          Up 4 days >5432/tcp
>>> postgres $
>>> The various docker interfaces and virtual bridges are not assigned to
>>>  any specific zone.
>>> Why is port 5432/tcp open?
>> It may be Docker manipulating the iptables rules.  If you don't want it
>>  open at all, remove the port argument from the docker run command line
>>  (or moral equivalent) and recreate the container (make sure you have
>> saved your data first, either with a volume mount or by dumping first).
> Unfortunately I can't control how users start their containers and I
> cannot force them not to forward ports.  But I will see if I can prevent
> Docker from manipulating iptables as described in the very helpful link
> below.
There is a security level, but it would break some user's docker packages.

The more I learn about docker, the more I actively dislike it as a massive
security hole.