Fix Docker not respecting UFW Rules

It's important to keep your services closed to outside connections if they don't need to be exposed. This is especially true if you're using observability tools like Prometheus and/or cAdvisor, which can leak your system's entire specifications and make you vulnerable to attacks.

However, managing this in Docker isn't easy. You can either expose ports only to internal connections or to the outside world. But what if you want to expose ports to the outside world while only allowing specific IPs to connect? This is where UFW (Uncomplicated Firewall) can be helpful.

UFW is a user-friendly interface for managing iptables firewall rules. It's a wrapper for iptables and is easier to use than iptables directly. The only issue is that Docker also uses iptables directly, bypassing all rules that UFW sets.

The solution is to prevent Docker from directly modifying iptables by setting the following in /etc/docker/daemon.json:

{
  "iptables": false
}