docs: add warning about Docker bypassing UFW rules in security documentation

- Introduced a Callout component to highlight the critical security issue of Docker bypassing UFW firewall rules. - Provided solutions for integrating Docker with UFW and configuring cloud provider firewalls for enhanced security.
2026-06-15 20:25:25 +02:00 · 2025-12-09 23:25:11 -06:00
parent 6686011059
commit 9ad59022b0
1 changed files with 15 additions and 0 deletions
--- a/apps/docs/content/docs/core/remote-servers/security.mdx
+++ b/apps/docs/content/docs/core/remote-servers/security.mdx
@@ -20,6 +20,21 @@ UFW is an essential security component that manages incoming and outgoing networ
 - ✅ Default incoming policy should be set to 'deny'
 - ✅ Only necessary ports should be opened

+<Callout type="warn">
+  **Important: Docker Bypasses UFW Rules**
+
+  Docker directly modifies `iptables` rules, which means it bypasses UFW firewall rules. This is a critical security issue: **ports exposed by Docker containers remain accessible from the public internet even when UFW rules should block them**, creating a false sense of security.
+
+  For example, if you have UFW configured to deny all incoming traffic by default, but you run a Docker container with `-p 3000:3000`, port 3000 will still be accessible from the internet despite your UFW configuration.
+
+  **Solutions:**
+
+  - **ufw-docker**: Use the [ufw-docker](https://github.com/chaifeng/ufw-docker) utility to properly integrate Docker with UFW, ensuring that Docker containers respect UFW firewall rules.
+
+  - **VPS Provider Firewall**: Configure your cloud provider's firewall (e.g., AWS Security Groups, DigitalOcean Firewalls) to block public access to Docker-exposed ports. This operates before Docker's iptables rules and provides reliable protection.
+
+</Callout>
+
 ### SSH Security
 Secure Shell (SSH) configuration is crucial for safe remote server access.