What firewall/port-blocking options are there on BalenaOS when using host network mode?

My project has an “app” container (business logic) and a “database” container (for persisting data). The app container needs to access bluetooth, and thus must be run with network_mode: host. It seems that, in order for the app container to communicate with the database container, the database container must also be run with network_mode: host.

This means (as far as I know) that any ports my containers expose for communication to each other (e.g. the database port) are now open to anyone who is on the same network as the device. I have tested this so far with an image in development mode only, and I was able to connect to the database without any trouble.

I was wondering if there is any way to configure the host OS to restrict incoming connections (on certain ports, or altogether), while still allowing the localhost connection that happens between the containers.

Alternatively, is there a better way to set up the database container so that it is accessible to the app container (which is on the host network), without exposing it on the host network itself?

Sidenote: I saw RESIN_HOST_FIREWALL_MODE mentioned on the device configuration page in the Balena Cloud Dashboard, but I couldn’t find any documentation on it anywhere. Does anyone know what it is for?

Some helpful info here: Does wifi-connect need to be mounted to host instead of port?

App can be reached by database using the IP address Database can be reached by App by opening the port in the compose file and then using from within App container.

To restrict external access to App, add in IPTable rules or a restriction in your app to only accept requests from ip addresses starting 172.

To restrict external access to Database add the port as where 80 is your port of choice. See this for more info: https://www.chrissearle.org/2018/09/21/ufw-with-docker/

1 Like

This is incredibly helpful, thank you so much! That is exactly what I was looking for.