CSF › Version
15.08
CSF › Release
Stable
System › OS
Linux
System › Distro & Version
Ubuntu 24.04.3 LTS
Control Panel › Name
Generic (None)
Priority
High
Issue Description
When CSF Docker integration is enabled, inbound traffic to Docker-published ports is allowed regardless of TCP_IN and UDP_IN restrictions defined in csf.conf.
This effectively bypasses CSF’s inbound firewall policy and exposes Docker services to the internet, even when the ports are explicitly not allowed.
Steps To Reproduce
-
Install and configure CSF with Docker integration enabled:
DOCKER = "1"
and follow the steps in https://docs.configserver.dev/install/integrations/docker/?h=docker#setup
-
Edit bridge_user_subnets="172.17.0.0/16 172.18.0.1/16" within the integration csf post script
-
Ensure TCP_IN and UDP_IN do not include the test port.
-
Run a Docker container that publishes a port using docker compose
-
From an external host, connect to the published port:
curl http://:8080
Logs › Lfd
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Daemon started on 150-95-25-194 - csf v15.08 (generic)
Jan 4 18:37:25 150-95-25-194 lfd[4132]: WARNING Unable to send email reports - [/usr/sbin/sendmail] not found
Jan 4 18:37:25 150-95-25-194 lfd[4132]: LF_APACHE_ERRPORT: Set to [2]
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Restricting syslog/rsyslog socket acccess to group [mysyslog]...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: CSF Tracking...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: IPv6 Enabled...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Blocklist Tracking...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Country Code Lookups...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Exploit Tracking...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Temp to Perm Block Tracking...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: RESTRICT_SYSLOG: Unix socket permissions reapplied. Reopening log files...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/apache2/error.log...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/secure...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/messages...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/customlog...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/syslog...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/auth.log...
Config › csf.conf
TESTING = "0"
TCP_IN = "22"
UDP_IN = ""
DOCKER = "1"
Screenshots
root@server:/usr/local/include/csf/post.d# ./docker.sh --list
Container Name Shell IP IfLink ID Veth Adapter Network Mode Network List
7fc22fe22ab6 nginx-proxy-manager-... bash 172.18.0.2 6 vetha5268ed nginx-proxy-manage... [1] nginx-proxy-manager_default
├── BRIDGE br-7892cd916035
└── IP 172.18.0.2
CSF › Version
15.08
CSF › Release
Stable
System › OS
Linux
System › Distro & Version
Ubuntu 24.04.3 LTS
Control Panel › Name
Generic (None)
Priority
High
Issue Description
When CSF Docker integration is enabled, inbound traffic to Docker-published ports is allowed regardless of TCP_IN and UDP_IN restrictions defined in csf.conf.
This effectively bypasses CSF’s inbound firewall policy and exposes Docker services to the internet, even when the ports are explicitly not allowed.
Steps To Reproduce
Install and configure CSF with Docker integration enabled:
DOCKER = "1"and follow the steps in https://docs.configserver.dev/install/integrations/docker/?h=docker#setup
Edit bridge_user_subnets="172.17.0.0/16 172.18.0.1/16" within the integration csf post script
Ensure TCP_IN and UDP_IN do not include the test port.
Run a Docker container that publishes a port using docker compose
From an external host, connect to the published port:
curl http://:8080
Logs › Lfd
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Daemon started on 150-95-25-194 - csf v15.08 (generic)
Jan 4 18:37:25 150-95-25-194 lfd[4132]: WARNING Unable to send email reports - [/usr/sbin/sendmail] not found
Jan 4 18:37:25 150-95-25-194 lfd[4132]: LF_APACHE_ERRPORT: Set to [2]
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Restricting syslog/rsyslog socket acccess to group [mysyslog]...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: CSF Tracking...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: IPv6 Enabled...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Blocklist Tracking...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Country Code Lookups...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Exploit Tracking...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Temp to Perm Block Tracking...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: RESTRICT_SYSLOG: Unix socket permissions reapplied. Reopening log files...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/apache2/error.log...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/secure...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/messages...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/customlog...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/syslog...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/auth.log...
Config › csf.conf
TESTING = "0"
TCP_IN = "22"
UDP_IN = ""
DOCKER = "1"
Screenshots