There is a well known security concern when running Docker on a Ubuntu host that uses UFW as its main firewall: Docker's manipulation of iptables bypasses the rules created by UFW, enabling access by default to containers with ports mapped despite UFW being enabled. Though there are existing methods of securing the network (e.g. binding to 127.0.0.1), the extra security of UFW can be desirable.

See:

• docker and ufw serious problems moby/moby#4737
• https://stackoverflow.com/questions/30383845/what-is-the-best-practice-of-docker-ufw-under-ubuntu
• https://www.mkubaczyk.com/2017/09/05/force-docker-not-bypass-ufw-rules-ubuntu-16-04/
• https://www.techrepublic.com/article/how-to-fix-the-docker-and-ufw-security-flaw/
• https://www.linux.com/news/how-fix-docker-and-ufw-security-flaw/
• https://svenv.nl/unixandlinux/dockerufw/
• https://blog.viktorpetersson.com/2014/11/03/the-dangers-of-ufw-docker.html

Most of these recommend disabling iptables manipulation with --iptables=false and manually configuring the rules as necessary.

More recently, two other workarounds have surfaced which do not use this flag and seem to be more robust:

• https://github.com/chaifeng/ufw-docker
• https://gist.github.com/rubot/418ecbcef49425339528233b24654a7d

These are at least a year old now, and despite the many results it's still not common knowledge as searches continue: https://trends.google.com/trends/explore?q=docker%20ufw&geo=US

It seems that the Docker team isn't interested in addressing this on their end, so the purpose of this issue is to request community feedback, determine best practices, and create a PR to hopefully add something to the documentation.