Join Log in
Score:1
dyedfox avatar Ubuntu

ufw rules for Selenium grid

ru flag
dyedfox

I use Selenium grid docker container on my server which could be accessed from the web by http://IP_address:4444. Please help me to figure out how can I filter or disable this connection by adding some rules to ufw? I've tried something like this:

sudo ufw deny http/tcp
sudo ufw deny out http/tcp
sudo ufw deny 4444
sudo ufw deny out 4444

Unfortunately none of these is working.

87
2 + 0
ufw
Score:0
Saxtheowl avatar Ubuntu
iq flag
Saxtheowl

Your docker container might be bypassing the ufw rules, for that you can go to or create /etc/docker/daemon.json then add { "iptables": false } then reload then reload docker sudo systemctl reload docker

If that still dont work you can try to be sure that ufw is enabled sudo ufw enable then allow incomings connexion from your local network like this sudo ufw allow 192.168.1.0/24 ( replace 192.168.1.0 by your local network address if it is different ) then block all all incoming connection to port 4444 like this sudo ufw deny in 4444

Now if you do sudo ufw status you should see something like

Status: active

To Action From -- ------ ---- 4444 DENY IN Anywhere Anywhere ALLOW IN
192.168.1.0/24

+ 7
dyedfox avatar
ru flag
dyedfox
Thank you for the answer. "sudo ufw deny in 4444" has no effect at all. I still can access my server from anywhere by port 4444. I have no idea what is going on)
1
Reply
Saxtheowl avatar
iq flag
Saxtheowl
you can try sudo ufw reset then sudo ufw deny proto tcp from any to any port 4444 and if that does not work what does sudo ufw status give you ?
0
Reply
dyedfox avatar
ru flag
dyedfox
I have tried these commands and I get this To Action From -- ------ ---- 4444/tcp DENY Anywhere 4444/tcp (v6) DENY Anywhere (v6) But I can still view the web interface on port 4444. Seems ufw doesn't work.
0
Reply
Saxtheowl avatar
iq flag
Saxtheowl
are you sure your selenium is using the 4444 port Selenium Grid may use other ports for distributed testing ? another possibilities is that your Docker container is bypassing the ufw rules, for that you can go to or create /etc/docker/daemon.json { "iptables": false } then reload
0
Reply
dyedfox avatar
ru flag
dyedfox
Yep, thanks. I guess the docker indeed can avoid ufw rules. The port is 4444 definitely.
0
Reply
dyedfox avatar
ru flag
dyedfox
Yes, thank you! Everything works fine. After creating /etc/docker/daemon.json { "iptables": false } I managed to adjust ufw properly. I hope disabling iptables for docker would not affect system security?
0
Reply
Saxtheowl avatar
iq flag
Saxtheowl
with ufw enabled and since you only allow from your local network 192.168.1.0/24 you should be okay, I have updated my question, don't forget to validate it if it fit your demand
0
Reply
Score:0
dyedfox avatar Ubuntu
ru flag
dyedfox

The solution is as simple as it can be.

Docker uses iptables and automatically updates its rules according to your docker compose or docker run parameters.

If you expose a port through Docker, this port gets exposed no matter what rules your firewall has configured.

But you can give instructions to docker engine to expose ports internally:

docker run:

-p 127.0.0.1:27017:27017

docker compose:

ports:
  - "127.0.0.1:4444:4444"

Rest of ufw rules will work properly until they are not overrided by Docker.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.