The shorewall documentation explains in http://shorewall.org/Docker.html how to configure shorewall for use with docker. The problem with the configuration is that it only allows connections from the host to the main bridge docker0
. Connections to other networks on dynamically created bridges, with names starting by default with br-
, is blocked. Instead of the recommended contents of /etc/shorewall/interfaces
, use wild-card interface names as follows:
#ZONE INTERFACE OPTIONS
#dock docker0 bridge # disabled default recommendation
dock docker0 physical=docker+,routeback=1
dock br physical=br-+,routeback=1
This declares interfaces with names starting with docker
, including the default docker0
, and starting with br-
to be in the dock
zone.
For the rest of the configuration, follow the shorewall documentation as is.
This setup fixes problems running composite apps set up manually or using docker-compose
.
If configured with the
DYNAMIC_BLACKLIST=Yes
option, you can useshorewall open
,shorewall close
and other commands for non-persistent changes (see https://shorewall.org/manpages/shorewall.html). You still have to update the config files to be sure changes are persistent. But the persistent rules won't get verified until you restart. I recommend toshorewall compile
, which catches syntax errors but won't change the active rules.In practice, I find firewall rules pretty stable and the restart issues don't arise often. Using the shorewall commands is OK for testing which ports are needed when setting up new apps. I would still do one restart with the persistent configuration at the end. Bugs that won't show up until the next reboot are worse than one container restart.