Made to Order Software Corporation Logo

Snap

Docker, an advanced chroot utility


Chasm—just like a Docker creates a chasm between two sets of software

SECURITY WARNING

Before installing Docker and containers with services on your Linux system, make sure to read and understand the risks as mentioned on this Docker and iptables page. Especially, Docker will make all your containers visible to the entire world through your Internet connection. This is great if you want to indeed share that service with the rest of the world, it's very dangerous if you are working on that container service since it could have security issues that need patching and such. Docker documents a way to prevent that behavior by adding the following rule to your firewall:

iptables -I DOCKER-USER -i eth0 ! -s 192.168.1.0/24 -j DROP

This means that unless the IP address matches 192.168.1.0/24, the access is refused. The `eth0` interface name should be replaced with the interface name you use as the external ethernet connection. During development, you should always have such a rule.

That has not worked at all for me because my local network includes many other computers on my LAN and this rule blocks them all. So really not a useful idea.

Instead, I created my own entries based on some other characteristics. That includes the following lines in my firewall file:

*filter
:DOCKER-USER - [0:0]

-A DOCKER-USER -j early_forward
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8080 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8081 --ctdir ORIGINAL -j DROP

My early_forward allows my LAN to continue to work. These are my firewall rules that allow my LAN computers to have their traffic forwarded as expected.

Then I have three rules that block port 80, 8080, and 8081 from Docker.

Docker will add new rules that will appear after (albeit not within the DOCKER-USER list) and will open ports for whatever necessary service you install in your Dockers.

Note that the only ports you have to block are ports that Docker will share and that you have otherwise open on your main server. If Docker opens port 5000 and your firewall does not allow connections to port 5000 from the outside, then you're already safe. On my end I have Apache running so as a result I block quite usual HTTP ports from Docker.

Docker

As we are helping various customers, we encounter new technologies.

In the old days, we used chroot to create a separate environment where you could have your own installation and prevent the software from within that environment access to everything on your computer. This is particularly useful for publicly facing services liek Apache, Bind, etc.

CAPTCHA is not working against all robots anymore but...

No Junk Mail written on the mailbox window of this door.

Also many reCAPTCHAs are being bypassed, it still work against many robots, although newer robots use Artificial Intelligence and they are quickly able to bypass most of the reCAPTCHAs.

At some point, the main reason for the bypass was the fact that some people were getting paid to resolve those reCAPTCHAs. In other words, some people were offered the job to do just that! They go to a computer, resolve many reCAPTCHAs and get paid something like 2 cents per successful resolutions. The result is that websites with reCAPTCHAs still receive a lot of spam!

In 2017, it looks like such ...

Google Panda Change Beneficial to Press Releases

Today, BusinessWire disclosed the fact that they and their customers were benefiting from the changes made by Google to improve the giant search engine results.

The news is not that surprising since the Panda change was to eliminate most of the so called farmer websites. Websites that would copy news, most often as is, and not themselves create any additional value (Except to the owner by having advertising and other products and services for sale on their otherwise fairly useless website.)

Of course, many people are not happy as this change affected 11.8% of the US websites. Yet, users will ...

Upgrade to Snap! Business

$19.99

Snap! The best hosting service available.

 Upgrade Now! 
Thank you for upgrading to (Small Snap! Logo) Snap! Business. This is the best decision you could make.

Your business website is you online. Educate your leads by the writing of your journal, and offer quality pages full of information!

This upgrade enhances your existing (Small Snap! Logo) Snap! Blogger Free website with business quality features such as remote blogging, anti-spam features, incorporated social media capabilities, professional analysis, and much

$19.99

We have completely switched to Drupal!

Made to Order Software is proud to announce a complete switch-over of our main site to Drupal! With this switch we are introducing new features which we hope will make your visit to our site more enjoyable. cool

About Us

Here you will find a few of the software solutions that have been made possible by Made to Order Software Corporation. Feel free to contact us for more information.

Snap! Websites

Made to Order Software created Snap! Websites, a CMS system, which allows customers to create their own websites, hosted on our servers.

The new version of Snap! is actually Open Source. You can find more information about Snap! Websites Open Source on the Snap! Website a C+ CMS website.

A few customers using our old Snap! offer include:

Order ...