Is it possible to block a container reaching the internet. I only want this container to be able to communicate to the container network and the local lan.
As the container uses the truenas host IP to communicate outside of the container network it seems i just cant block its IP on my firewall without affecting other containers and the host.
You need some form of firewall somewhere to block its IP, or if you just dont assign it a gateway IP - are services access INTO it? Or does it reach out to anything else?
I did a packet capture and it seems to use the host IP to communicate it with remote networks where as it uses it’s local IP to communicate within the lan.
I can not block the host IP as it will block the truenas from the Internet so won’t be able to update etc…
Don’t quote me on this, but do not the containers each talk through a port of their own? So you could create a block role in your firewall that combines the truenas host ip and the container port number from reaching out. Just a thought. I’m still on Core, so I haven’t tried it myself.
Two decent approaches here:
https://www.reddit.com/r/docker/comments/1hlhrr4/how_can_you_block_a_docker_container_from_being/
You will need to use custom compose.
No. The port is forwarded from the host.
The containers are normally bridged to the host using the default bridge. Use an isolating bridge with no gateway and then they can’t get out of the “docker lan”
