-
Configure Docker daemon
When you want DFW to manage your firewall, it is essential that you disable the iptables-features integrated in the Docker daemon. Probably the easiest way to do this is to modify (or create) the file
/etc/docker/daemon.jsonand add the following contents:{ "iptables": false }Be sure to restart your Docker daemon afterwards. (You might also have to remove any rules the Docker-daemon might have already created in iptables. The easiest way to do this is to reboot your host.)
-
Migrate any custom iptables-rules you have to DFW.
DFW is only able to work with iptables if it manages the entire firewall ruleset. To still enable you to have custom rules, you can specify the
backend_defaults.initialization.{v4,v6}keys in your configuration.The configuration-keys allow you to add rules to any valid table. The only thing important is that the rules are valid iptables-syntax.
Example:
[backend_defaults.initialization.v4] filter = [ "-A INPUT -p tcp --dport 22 -j ACCEPT" ] nat = [ # Any rule you might want to add to the NAT-table... ] [backend_defaults.initialization.v6] filter = [ "-A INPUT -p tcp --dport 22 -j ACCEPT" ]
The general configuration happens across six categories:
-
global_defaultsThis category defines global, default values to be used by DFW and the other categories.
-
backend_defaultsThis category defines configuration values that are specific to the firewall-backend used.
-
container_to_containerThis controls the communication between containers and across Docker networks.
-
container_to_wider_worldThis controls if and how containers may access the wider world, i.e. what they can communicate across the
OUTPUTchain on the host. -
container_to_hostTo restrict or allow access to the host, this section is used.
-
wider_world_to_containerThis controls how the wider world, i.e. whatever comes in through the
INPUTchain on the host, can communicate with a container or a Docker network. -
container_dnatThis category allows you to define specific rules for destination network address translation, even or especially across Docker networks.
See the examples and configuration types for detailed descriptions and examples of every configuration section.
You have a few options of running DFW:
- Using the official Docker image (preferred!).
- Using a pre-built binary directly on your host.
- Install DFW through crates.io.
- Build from source.
$ docker pull pitkley/dfw:1.3.0
$ docker run -d \
--name=dfw \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /path/to/your/config:/config \
--net host --cap-add=NET_ADMIN \
pitkley/dfw:1.3.0 --firewall-backend iptables --config-path /configThis will download a lightweight image, coming in at around 20 MB, and subsequently run it using your configuration.
The image supports multiple architectures: amd64, arm64, armv7 (specifically armhf).
Please note that you can also pull the image from the GitHub container registry, GHCR, if you want to avoid potential pull-limitations Docker Hub has put in place:
$ docker pull ghcr.io/pitkley/dfw:1.3.0
$ docker run ... ghcr.io/pitkley/dfw:1.3.0 ...You can retrieve the latest pre-built binary from the GitHub releases page:
- Release page
- Direct download (static Linux x86_64 binary, no further dependencies required)
For this you need to first install Rust and then install DFW using cargo:
$ cargo install dfw
$ dfw --help
dfw 1.3.0
Docker Firewall Framework, in Rust
...For this you need to first install Rust. You can then check out the repository and build the binary:
$ git checkout https://github.com/pitkley/dfw
$ cd dfw/
$ cargo build --release
$ target/release/dfw
Docker Firewall Framework, in Rust
...