ufw-docker-automated

Changelog

• b012433 move client functions
• 0ecd17c use zerolog to implement log levels
• bf31f76 sync on socket reconnect, fix #47
• 3cfdf54 cleanup context position
• 8872230 bump dependencies

Changelog

• e5ac204 cleanup: use regex to match ufw syntax
• da9c35a re-enable sync function
• 384430b reconnect shouldn't return error
• f0adbca use docker client's native filter
• ec57c1f check deny out condition for deleting rules
• 71c23e9 explicitly state inbound, outbound rules in logs
• 5c9499d use go-cache for tracked containers
• 6ad70a4 fix context & reconnect
• 6fd5e04 simplify reconnect logic, context WIP
• b0f2cd7 ci: update actions
• 39ab998 update dependencies

Changelog

• 30adac5 ci: add goreleaser for cross compile. Support Raspberry Pi, fix #41
• 2c2d387 implement startup check for existing containers, fix #40
• 62f87a3 remove usage of event message when creating rules
• 6f0a30e upgrade dependencies

• Fix potential panic #32
• Program now stores container information in memory to avoid potential race condition #36
• Cleanup 'ghost' rules on startup. It will go through existing ufw rules and delete 'ghost' rules if container is either not running or not found. #12

• Outbound rules are implemented. Now you can use UFW_DENY_OUT=TRUE label to deny all outbound traffic, then use UFW_ALLOW_TO label to allow traffic to specific IP address/CIDR range + optional port and comment value. Syntax is similar to UFW_ALLOW_FROM label.
• Startup sync, cleanup feature is coming in next release.

• Now you can be more specific with port specific rules. For example port 80 could be open to internet, but port 8080 could be allowed from specific network. See #29
• Ufw commands are now called with sudo. This is to be compatible with systems that root user is not available.
• Outbound rules are coming in next release.

• App is now completely rewritten in Go. Now installation is lot more simpler with zero dependency, single binary download and much faster!
• Added support for supplying additional comments to UFW_ALLOW_FROM label
• Outbound rules are not reimplemented yet.

• Added UFW_ALLOW_FROM label support. This label takes comma separated IP addresses as a list. Example: UFW_ALLOW_FROM=192.168.0.2;192.168.1.0/24
• Added support for outbound rules. UFW_ALLOW_TO (comma separated IP addresses as a list, UFW_DENY_OUTGOING (takes true/false) labels supported.
• Added support for ufw comments. Ufw rules will be added with container id as a comment. This will help us to cleanup left over rules.

Thanks to @mlollo

Added support for allowing IP based firewall rules. Now you can use UFW_FROM label. Use semicolon separated IP addresses. For example:

➜  docker run -d -p 8080:80 -l UFW_MANAGED=TRUE -l "UFW_FROM=192.168.0.2;192.168.1.0/24" nginx:alpine
13a6ef724d92f404f150f5796dabfd305f4e16a9de846a67e5e99ba53ed2e4e7

➜  sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  

172.17.0.2 80/tcp          ALLOW FWD   192.168.0.2     <= allowing only 192.168.0.2 to access nginx server 
172.17.0.2 80/tcp          ALLOW FWD   192.168.1.0/24  <= allowing only 192.168.1.0/24 to access nginx server

Thanks to @mlollo