[CentOS] PostgreSQL port accessible even though it should be blocked by firewall
mark
m.roth at 5-cent.us
Tue Oct 30 16:38:35 UTC 2018
Frank Thommen wrote:
> On 10/29/2018 08:43 PM, Keith Keller wrote:
>
>> On 2018-10-29, Frank Thommen <list.centos at drosera.ch> wrote:
>>
>>>
>>> PostgreSQL is running in a docker container:
>>>
>>>
>>> $ docker ps
>>> CONTAINER ID IMAGE COMMAND
>>> CREATED STATUS PORTS NAMES
>>> 6f11fc41d2f0 postgres "docker-entrypoint..."
>>> 4
>>> days ago Up 4 days 0.0.0.0:5432->5432/tcp
>>> postgres $
>>>
>>>
>>> The various docker interfaces and virtual bridges are not assigned to
>>> any specific zone.
>>>
>>> Why is port 5432/tcp open?
>>>
>>
>> It may be Docker manipulating the iptables rules. If you don't want it
>> open at all, remove the port argument from the docker run command line
>> (or moral equivalent) and recreate the container (make sure you have
>> saved your data first, either with a volume mount or by dumping first).
>
> Unfortunately I can't control how users start their containers and I
> cannot force them not to forward ports. But I will see if I can prevent
> Docker from manipulating iptables as described in the very helpful link
> below.
>
<snip>
There is a security level, but it would break some user's docker packages.
The more I learn about docker, the more I actively dislike it as a massive
security hole.
mark
More information about the CentOS
mailing list