GP is being annoying and I agree with you for the most part and I feel Docker should have tried to play nicer with the firewall.

That said it is a mistake to consider Docker in the same class as nginx. Docker is a system for telling the Linux kernel how to set up the environments of processes. Doing whatever it can at the absolute lowest level of abstraction the kernel offers is kind of its entire gig.

I wouldn't expect Docker to be listening on anything. Docker isn't proxying any traffic into the container, it's just configuring how ports are forwarded from the host to the container.

> yes, it adds a forwarding rule. Which skips over the rest of my firewall rules.

... which you explicitly asked it to do by using the -p option.

No 3rd party application should be able to manipulate firewall rules. Hiding configuration details leads to mistakes.

It's not intended to be nefarious, but it can have bad consequences. I know the docker devs had good intentions to help people expose services, when they introduced this. However, they also "helped" people unwillingly expose services, oops.

Just because it was meant to be useful and harmless doesn't mean they didn't actually bypass the firewall rules by adding their own rules.

I agree, and tools that try to make something complex (nftables) simple and easy to use (UFW, Firewalld) should make that possible.

Different lists are a powerful nftables feature that is used in many system services and applications for things like routing and specialized forwarding. You can't just disable that without breaking tons of software.

Instead, tools like UFW should make it clear which ports are or aren't open and what firewall rules actually apply to the current system. They exist to save users from nftables and eBPF programming, and they should work as advertised.

Ufw advertises itself with "Ufw stands for Uncomplicated Firewall, and is program for managing a netfilter firewall" not "Ufw stands for Uncomplicated Firewall, which lets you add some firewall rules but doesn't manage all of them so you need to be extra careful if you use it."

I disagree that we need more tooling. We need better tooling. Docker and Kubernetes adding network filters makes total sense, they're useless without forwarding packets between devices.

UFW, on the other hand, pretends to make firewalls simple and easy to use when they're really not. I'm not expecting UFW to start managing Docker's/K8s'/libvirtd's firewall rules, I'm just expecting them to add a section of "ports opened by other applications" that show the open ports that UFW can't control.

I'm not sure how much this routing is really needed. I use nftables instead of iptables, so I told Docker to not touch anything.

I'm gradually getting rid of Docker (NixOS containers powered by systemd-nspawn are more convenient for me at the moment), so I don't have any fancy networking for it - but I still run it. I have a bunch of static nftables rules for the bridge (`iifname "docker0" ct state established,related counter accept` etc.) so the containers can access what they need. And then Docker uses docker-proxy for the exposed ports (paired with appropriate firewall rules when it's not on `lo`, where I have an umbrella `iif "lo" accept`) and it seem to works just fine.