Too Complicated

I absolutely hate to admit that doing something best-practice is too complicated. However, in this case, I am giving up.

I started following the Arch Wiki Guide for a simple stateful firewall. The very first command they suggest running is iptables-save. It prints out a list of the current rules. The goal is to confirm that no rules are set.

However, when I ran it, I get a gigantic set of output related to docker forwarding. I give up.

# iptables-save
# Generated by iptables-save v1.8.2 on Wed May 15 21:33:42 2019
*nat
:PREROUTING ACCEPT [66654:25650680]
:INPUT ACCEPT [8503:1607827]
:OUTPUT ACCEPT [582:80148]
:POSTROUTING ACCEPT [10913:685557]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.23.0.0/16 ! -o br-d5384f8f5ccd -j MASQUERADE
-A POSTROUTING -s 172.22.0.0/16 ! -o br-218b3cfe3797 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.22.0.2/32 -d 172.22.0.2/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.0.2/32 -d 172.22.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i br-d5384f8f5ccd -j RETURN
-A DOCKER -i br-218b3cfe3797 -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i br-218b3cfe3797 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.22.0.2:443
-A DOCKER ! -i br-218b3cfe3797 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.22.0.2:80
COMMIT
# Completed on Wed May 15 21:33:42 2019
# Generated by iptables-save v1.8.2 on Wed May 15 21:33:42 2019
*filter
:INPUT ACCEPT [41907:110655970]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [12774:4083236]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-d5384f8f5ccd -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-d5384f8f5ccd -j DOCKER
-A FORWARD -i br-d5384f8f5ccd ! -o br-d5384f8f5ccd -j ACCEPT
-A FORWARD -i br-d5384f8f5ccd -o br-d5384f8f5ccd -j ACCEPT
-A FORWARD -o br-218b3cfe3797 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-218b3cfe3797 -j DOCKER
-A FORWARD -i br-218b3cfe3797 ! -o br-218b3cfe3797 -j ACCEPT
-A FORWARD -i br-218b3cfe3797 -o br-218b3cfe3797 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.22.0.2/32 ! -i br-218b3cfe3797 -o br-218b3cfe3797 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.22.0.2/32 ! -i br-218b3cfe3797 -o br-218b3cfe3797 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-d5384f8f5ccd ! -o br-d5384f8f5ccd -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-218b3cfe3797 ! -o br-218b3cfe3797 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-d5384f8f5ccd -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-218b3cfe3797 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Wed May 15 21:33:42 2019

Next Steps

If anyone has concrete and concise knowledge about how to set up the firewall without destroying the docker functionality, I am open to comments and/or a PR.

However, for now, I will just have to trust the pfSense firewall. This VM isn't on the public web, it's on my HomeLab LAN. I'm hoping it's not too big if a security concern!