Mithrandir

English

Français

English

Français

Appearance

Firewall

Mithrandir can optionally configure UFW with ufw-docker to control network access to your services.

Why ufw-docker?

Docker manipulates iptables directly, which means standard UFW rules do not apply to Docker-published ports. The ufw-docker utility solves this by managing rules in the DOCKER-USER iptables chain, which Docker respects.

DANGER

Always ensure SSH access is working before enabling the firewall on a remote server. The installer always allows port 22, but verify you can connect before closing your current session.

Install

sh
mithrandir install firewall

This will:

  1. Install UFW (if not already installed)
  2. Install the ufw-docker utility
  3. Enable UFW with a default deny incoming policy
  4. Always allow SSH (port 22) to prevent lockouts
  5. Add firewall rules for all currently installed apps

How It Works

Once the firewall is enabled (ENABLE_FIREWALL=true in .env), mithrandir automatically manages UFW rules:

  • mithrandir install <app> — adds UFW rules for the app's ports
  • mithrandir uninstall <app> — removes UFW rules for the app's ports
  • mithrandir install <stack> — adds rules for all apps in the stack

Host-networked vs bridge-networked apps

Most Docker containers use bridge networking, where they communicate through Docker's virtual network and publish specific ports. Some apps use host networking, where the container shares the host's network stack directly. This distinction matters for firewall rules:

  • Bridge-networked apps (most apps): Rules are managed via ufw-docker allow <container> <port>, which works with the DOCKER-USER iptables chain.
  • Host-networked apps (Home Assistant, DuckDNS): Rules are managed via standard ufw allow <port>, since Docker doesn't manage their iptables entries.

Setup Wizard

The setup wizard includes a firewall step after app installation. You can choose to enable or skip it. In --yes mode, the firewall is installed automatically.

Checking Status

View current firewall rules:

sh
sudo ufw status

The mithrandir doctor command also checks firewall status and reports any issues.

Configuration

VariableDefaultDescription
ENABLE_FIREWALL(not set)Set to true to enable automatic UFW rule management

WARNING

The firewall requires the ufw-docker third-party utility, which is downloaded from GitHub. It modifies /etc/ufw/after.rules to integrate with Docker's iptables chains. If you have custom UFW rules, review the changes after installation.

Emergency Recovery

If you lose SSH access after enabling the firewall, you will need physical access or out-of-band console access (e.g. IPMI, cloud provider console) to your server. Once connected, disable the firewall:

sh
sudo ufw disable

Then review your rules with sudo ufw status before re-enabling.

Released under the MIT License.