Made to Order Software Corporation Logo

downloads

Docker, an advanced chroot utility


Chasm—just like a Docker creates a chasm between two sets of software

SECURITY WARNING

Before installing Docker and containers with services on your Linux system, make sure to read and understand the risks as mentioned on this Docker and iptables page. Especially, Docker will make all your containers visible to the entire world through your Internet connection. This is great if you want to indeed share that service with the rest of the world, it's very dangerous if you are working on that container service since it could have security issues that need patching and such. Docker documents a way to prevent that behavior by adding the following rule to your firewall:

iptables -I DOCKER-USER -i eth0 ! -s 192.168.1.0/24 -j DROP

This means that unless the IP address matches 192.168.1.0/24, the access is refused. The `eth0` interface name should be replaced with the interface name you use as the external ethernet connection. During development, you should always have such a rule.

That has not worked at all for me because my local network includes many other computers on my LAN and this rule blocks them all. So really not a useful idea.

Instead, I created my own entries based on some other characteristics. That includes the following lines in my firewall file:

*filter
:DOCKER-USER - [0:0]

-A DOCKER-USER -j early_forward
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8080 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8081 --ctdir ORIGINAL -j DROP

My early_forward allows my LAN to continue to work. These are my firewall rules that allow my LAN computers to have their traffic forwarded as expected.

Then I have three rules that block port 80, 8080, and 8081 from Docker.

Docker will add new rules that will appear after (albeit not within the DOCKER-USER list) and will open ports for whatever necessary service you install in your Dockers.

Note that the only ports you have to block are ports that Docker will share and that you have otherwise open on your main server. If Docker opens port 5000 and your firewall does not allow connections to port 5000 from the outside, then you're already safe. On my end I have Apache running so as a result I block quite usual HTTP ports from Docker.

Docker

As we are helping various customers, we encounter new technologies.

In the old days, we used chroot to create a separate environment where you could have your own installation and prevent the software from within that environment access to everything on your computer. This is particularly useful for publicly facing services liek Apache, Bind, etc.

DefineSound

Tag Info
Tag Number: 
14
Tag Type: 
Define
Tag Flash Version: 
2
Brief Description: 

Declare a sound effect. This tag defines sound samples that can later be played back using either a StartSound or a DefineButtonSound. Note that the same DefineSound block can actually include multiple sound files and only part of the entire sound can be played back as required.

Tag Structure: 
struct swf_definesound {
	swf_tag			f_tag;		/* 14 */
	unsigned short		f_sound_id;
	unsigned		f_sound_format : 4;
	unsigned		f_sound_rate : 2;
	unsigned		f_sound_is_16bits : 1;
	unsigned		f_sound_is_stereo : 1;
	unsigned long		f_sound_samples_count;
	unsigned char		f_sound_data[<variable size>];
};

A DefineSound tag declares a set of samples of a sound effect or a music.

The sound samples can be compressed or not, stereo or not and 8 or 16 bits. The different modes are not all available in version 2, although the same tag is used in newer versions with additional capabilities.

The f_sound_is_16bits is always set to 1 (16bits samples) if the samples are compressed (neither Raw nor Uncompressed).

Made to Order Software new website!

Made to Order Software Corporation is proud to present its expanded and redesigned website:

https://www.m2osw.com/

Our new website features a shopping cart for instant purchases and downloads. It is easy to use: select your product and enter your address and credit card information... and that's it! You'll then gain access to the full version of the software that you can download immediately and begin using in minutes.

In addition, we have added user forums for questions, tips, comments, and suggestions for all our products. Our software engineers monitor these forums and offer ...