• anyone gaining physical or remote access to the device can set rules. by protecting the entire network with a hardware firewall you mitigate attack vectors from other hardware on your network that become compromised.
• iptables and firewalld are notorious for locking users out of the system by overzealous or green system admins. in the msp world this happens practically by the hour.
• iptables and firewalld can be used against you in the event of a breach. one of the first things an attacker may attempt is to forward ports and lock system admins out as they take over the system.
• make sure you save your rules properly or they’ll be gone after a reboot or botched upgrade
• migrating your rules from one system to another when you’re changing hardware or restoring a system is a huge pain in the ass.
• got a network change that’s going to modify the subnet your systems are on? get ready to migrate all 15 of your devices one by one for the next 8-15 hours (depending on the complexity of your rules)

it’s far easier, and safer to have all your network config done in the network. from system migrations to securing/hardening. it’s far more efficient and effective to have a single source of truth that manages network routing and firewall rules. hell, you can even have a redundant or load balanced firewall configuration if you’re afraid of a single point of failure.

point is, firewalld and iptables is for amateur hour and hobbyists.

if you want to complain that “docker doesn’t respect system firewalls” then at least have the chutzpah enough to do it the right way from the beginning.

What if you rent a bare metal server in a data center?

any msp will work with your security requirements for a cost. if you can’t afford it, then you shouldn’t be using a msp.

Or rent a VPS from a basic provider that expects you to do your own firewalling?

find a better msp. if a vendor you’re paying tells you to fuck off with your requirements for a secure system, they are telling you that you don’t matter to them and their only goal is to take your money.

Or run your home lab docker host on the same vlan as other less trusted hosts?

don’t? IDK what to tell you if you understand what a vlan is and still refuse to set one up properly to segment your network securely.

It would be nice if there was a reliable way to run a firewall on the same host that’s running docker.

don’t confuse reliable with convenient. iptables and firewalld are not reliable, but they are certainly convenient.

You may say these are obscure use cases and that they are Wrong and Bad. Maybe you’re right, but personally I think it’s an unfortunate gap in expected functionality, if for no other reason than defense-in-depth.

poor network architecture is no excuse. do it the proper way or you’re going to get your shit exposed one day.

this is the second time I’ve seen a post like this.

docker has always been like this. if it’s news to you then you must be new to docker.

if you’re using the built in firewall to secure your system on your wan, you’re doing it wrong. get a physical firewall. if you’re doing it to secure your lan then you just need to put in some proper routes and let your hardware firewall sort it out with some vlans.

don’t rely on firewalld or iptables for anything.

(sits in his Lamborghini Plex while a beautiful blonde gives him a handy) I’m fine, mate. Maybe later.

running GDM on two laptops, same models etc. Wayland glitches out all the time compared to x11.

• windows flickering in/out of existence
• random screen flickering
• random screen artifacts
• DPI scaling issues
• screen sharing doesn’t work

x11 just works. like, no problems. I get it, new stuff etc, but Wayland has a long way to go before I switch.

can’t wait for this to start. then maybe I won’t have to hear about it from the jellyfin shills every week.

I’m almost certain you changed your comment.

however, I fail to see the relevancy of proxies and tunnels to the content of the original post.

just pay for a lifetime pass…

going for the nuclear option I see…

no, it’s actually preferable that you don’t.

docker volume manager will actually mount it for you, you can see where using the “docker volume inspect {name}” command.

shilling or not for something you use is one thing, I made my comment because this post has a guerilla marketing smell to it.

it certainly educated me on their product and even tempted me to use it because of the real-life applications they provided. this is likely the “smell” that makes me distrust it.

top it off, I hate cloudflare because of all the engineers that use it. the unsurmountable percentage of the internet that is entirely dependent on cloudflare staying up is frustratingly apparent (especially recently).

seems like a huge risk and poorly planned. if I was invested in their product I would feel compelled to pull my support.

personally I only have one or two repos remaining in my github account. all the rest I have already moved to my selfhosted gitlab instance.

I guess I’m going to need to migrate those soon as well.

I love how everyone is like “ohh Linux phone! fuck Google!” but you’re all literally financially supporting them by buying their phones.

“I bought mine used!” yeah, well, someone bought it and then bought the new one only to sell to you as a way to pay for their new one so…🤷

I’ll believe in the Linux phone when there’s more than just pixel support.

Removed by mod

Removed by mod

• teams
• slack
• zoom
• Firefox browser capture for web screen share

never have I had any of these work for me, I’m not the only one either.

still doesn’t make me a liar and we can both be right.

so you’re sticking with “it works on my machine” then. cool.

also incorrect does not mean liar.

incorrect means not correct.

Removed by mod