Made to Order Software Corporation Logo

services

Docker, an advanced chroot utility

Chasm—just like a Docker creates a chasm between two sets of software

SECURITY WARNING

Before installing Docker and containers with services on your Linux system, make sure to read and understand the risks as mentioned on this Docker and iptables page. Especially, Docker will make all your containers visible to the entire world through your Internet connection. This is great if you want to indeed share that service with the rest of the world, it's very dangerous if you are working on that container service since it could have security issues that need patching and such. Docker documents a way to prevent that behavior by adding the following rule to your firewall:

iptables -I DOCKER-USER -i eth0 ! -s 192.168.1.0/24 -j DROP

This means that unless the IP address matches 192.168.1.0/24, the access is refused. The `eth0` interface name should be replaced with the interface name you use as the external ethernet connection. During development, you should always have such a rule.

That has not worked at all for me because my local network includes many other computers on my LAN and this rule blocks them all. So really not a useful idea.

Instead, I created my own entries based on some other characteristics. That includes the following lines in my firewall file:

*filter
:DOCKER-USER - [0:0]

-A DOCKER-USER -j early_forward
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8080 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8081 --ctdir ORIGINAL -j DROP

My early_forward allows my LAN to continue to work. These are my firewall rules that allow my LAN computers to have their traffic forwarded as expected.

Then I have three rules that block port 80, 8080, and 8081 from Docker.

Docker will add new rules that will appear after (albeit not within the DOCKER-USER list) and will open ports for whatever necessary service you install in your Dockers.

Note that the only ports you have to block are ports that Docker will share and that you have otherwise open on your main server. If Docker opens port 5000 and your firewall does not allow connections to port 5000 from the outside, then you're already safe. On my end I have Apache running so as a result I block quite usual HTTP ports from Docker.

Docker

As we are helping various customers, we encounter new technologies.

In the old days, we used chroot to create a separate environment where you could have your own installation and prevent the software from within that environment access to everything on your computer. This is particularly useful for publicly facing services liek Apache, Bind, etc.

Google Panda Change Beneficial to Press Releases

Today, BusinessWire disclosed the fact that they and their customers were benefiting from the changes made by Google to improve the giant search engine results.

The news is not that surprising since the Panda change was to eliminate most of the so called farmer websites. Websites that would copy news, most often as is, and not themselves create any additional value (Except to the owner by having advertising and other products and services for sale on their otherwise fairly useless website.)

Of course, many people are not happy as this change affected 11.8% of the US websites. Yet, users will ...

Cell Phones now open to telemarketers!

That's it! The phone commissioners have finally decided that it's OK for telemarketers to call cell phones and try to sell you their products and services.

Personally, I do not think that, in itself, it is a bad thing... except that if I receive even just 1 call a day and have to spend 1 minute each time, I will be burning 30 minutes a month for nothing. (Okay, with 1,000 minutes a month, it wouldn't matter that much, but that's like text messaging... if you receive spam via your phone and you have to pay 20 cents for each spam email you receive, the bill goes up quickly ...

GoldMoney.com

Watching the spiraling price of gold (the spot price as of this writing is $1,213.40/oz) has been a humbling experience for me. There are all kinds of marketing forces happening to cause this, but if you follow what the Austrian School folks are saying, this is not a surprising trend at all. Central banks around the world are dumping their U.S. dollars and buying up gold, which is driving the price up. But I think this is different than just another commodity bubble, because the way gold is perceived--as a store of wealth. Traditionally investors who feel the currency they are in is threatened ...

Terms & Conditions

Made to Order Software Corporation
Terms and Conditions for the Online Services
offered by Made to Order Software Corporation

This Agreement ("Agreement") is by and between Made to Order Software Corporation ("m2osw") a Californian Corporation and You, your heirs, your agents, successors and assigns ("You" and "Your"), and is made effective as of the date of electronic execution, which is when you register for an electronic account to use the Web site of m2osw. This Agreement sets forth the terms and conditions of Your use of the Online Services ...

Documents & White Paper

Here you will find direct access to our stack of documents and white papers about our different products and services. If you have any question or comment, please feel free to contact us anytime.

Namesort icon Description Size Date
aggregator-6.20-m2osw-1.0.tar_.gz aggregator-6.20-m2osw-1.0.tar_.gz 23.12 KB 04/05/2011
aggregator-6.20-m2osw-1.1.tar_.gz aggregator-6.20-m2osw-1.1.tar_.gz 23.19 KB 04/06/2011
countries.txt countries.txt 2.61 KB 08/03/2010
gtk2-engines-gtk-qt_0.60-m2osw1_i386.deb gtk2-engines-gtk-qt_0.60-m2osw1_i386.deb 74.67 KB 11/14/2009
Table-top-presentation.swf Web 2.0 — By Made to Order Software Corp. with Drupal 344.2 KB 06/23/2009
Your_Reverse_Proxy_Server.pdf Your_Reverse_Proxy_Server.pdf 112.55 KB 10/05/2009

Software Consulting Services

Robot arm by Schilling RoboticsMade to Order Software Corporation offers software consulting, analysis, and development services at any stage of a project. Our analysts can provide you well-defined and thorough user and developer documentation for your project in a timely manner. We can determine the skill set necessary to accomplish the goals of the project, and maximize the number of workers on the project to shorten the development period.

From simple applications to complex e-Business solutions through realtime software and complex database systems, our people work at your convenience—in your office or ours.

ScreenWRITER television system ...

Made to Order Software Corporation

The Logo of Made to Order Software Corporation.

Made to Order Software Corporation specializes in corporate consulting, analysis and development services, as well as cutting-edge professional developer tools, libraries, training, and support. Our team of passionate developers are dedicated to uncovering your perfect software solution to analyze, enhance, or improve your critical computer systems—large or small.

Security Issues with the US government

Some people, I have noticed, have been skeptical about the amount of care taken by the US government and agencies in the last few years. Companies are also catching up. The security measures change every year, when not every semester, every month and for some, probably every day.

For sure, making sure that the most wanted information remains top-secret, you need top level security features on your network. I do not know how much data is of interest, but I found out today that there are hackers attacking the federal websites quite a bit…

“The Pentagon last month acknowledged ...

Increase Security with a Reverse Proxy Server

What is Reverse Proxy?

There are three excellent reasons to switch to a Reverse Proxy Server right away:

  1. Protect all of the sensitive data on your servers;
  2. Have only one gateway to the outside world;
  3. Ease the load on your web server by allowing the reverse proxy server to distribute the requests.

Figure 1 below presents a simplified setup of a Reverse Proxy Server.