docs(security): document Docker UFW hardening via DOCKER-USER#27613
docs(security): document Docker UFW hardening via DOCKER-USER#27613grp06 merged 4 commits intoopenclaw:mainfrom
Conversation
|
Self-review: improvements from a second pass
|
openclaw-barnacle
bot
added
docs
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b9b8066d38
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
docs/gateway/security/index.md
Outdated
| -A DOCKER-USER -i eth0 -j DROP | ||
| -A DOCKER-USER -j RETURN |
There was a problem hiding this comment.
The documented DOCKER-USER allowlist hardcodes -i eth0 and then falls through to -j RETURN, which means on common VPS setups where the external NIC is named ens3/enp*, none of the interface-gated rules match and the intended deny rule is skipped, leaving Docker-published ports reachable from the internet even when users follow this guide exactly. Use a placeholder (for example <public-iface>) or an interface-agnostic deny pattern so the policy remains effective across host network naming schemes.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
good catch, thanks. i fixed this in b16c703.
i removed hardcoded interface rules and switched the example to interface-agnostic policy:
- allow trusted source ranges
- allow 80/443
- drop remaining NEW forwarded traffic
i also added a note that hardcoding eth0 is unsafe because interface names vary across VPS images.
Greptile SummaryAdded comprehensive Docker + UFW firewall hardening guidance to address a common security gap where users assume UFW alone protects Docker-published ports. The new documentation explains that Docker's forwarding chains bypass typical
The documentation follows repository conventions with proper Mintlify-compatible formatting, root-relative links, and generic placeholders. The iptables rules are technically sound as a minimal example and provide actionable hardening for self-hosted VPS deployments. Confidence Score: 5/5
Last reviewed commit: b9b8066 |
|
Security review note: The Docker Evidence I checked:
Actionable suggestion:
|
|
@bmendonca3 thanks, i applied both suggestions.
local docs check is green (pnpm check:docs). if CI still shows red, it looks unrelated to this docs change. |
grp06
force-pushed
the
codex/docker-ufw-hardening-docs
branch
from
d6b14cb to
31ddd43
Compare
|
Merged via squash. Thanks @dorukardahan! |
|
Thanks @grp06 for picking this up and merging it. I appreciate the changelog addition and the branch cleanup. I tested this guidance on my VPS and it matched what i observed in production. |
…aw#27613) Merged via squash. Prepared head SHA: 31ddd43 Co-authored-by: dorukardahan <[email protected]> Co-authored-by: grp06 <[email protected]> Reviewed-by: @grp06
Summary / What changed
docs/gateway/security/index.md:DOCKER-USERallowlist/drop policy guidanceafter6.rules) and validation commandsdocs/install/docker.mdso VPS users discover the hardening guidance earlier.Why
Docker-published ports are handled through forwarding chains. Without explicit
DOCKER-USERpolicy, users can think UFW is sufficient while exposure assumptions drift. This docs update gives concrete, actionable hardening guidance for common self-hosted setups.Tests
pnpm check:docsReal-world validation
DOCKER-USERpolicy (IPv4 + IPv6), reloaded UFW, and verified externally.Issue
Fixes #27612
AI-assisted disclosure