vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-15 20:10:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(security): add Docker DOCKER-USER hardening guidance

Browse Source
This commit is contained in:
Doruk Ardahan
2026-02-26 17:09:33 +03:00
committed by George Pickett
parent 490670128b
commit 655cefaedd
2 changed files with 47 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
docs/gateway/security/index.md
View File

@@ -630,7 +630,50 @@ Rules of thumb:
- If you must bind to LAN, firewall the port to a tight allowlist of source IPs; do not port-forward it broadly.
- Never expose the Gateway unauthenticated on `0.0.0.0`.
### 0.4.1) mDNS/Bonjour discovery (information disclosure)
### 0.4.1) Docker port publishing + UFW (`DOCKER-USER`)
If you run OpenClaw with Docker on a VPS, remember that published container ports
(`-p HOST:CONTAINER` or Compose `ports:`) are routed through Docker's forwarding
chains, not only host `INPUT` rules.
To keep Docker traffic aligned with your firewall policy, enforce rules in
`DOCKER-USER` (this chain is evaluated before Docker's own accept rules).
Minimal allowlist example (IPv4):
```bash
# /etc/ufw/after.rules (append as its own *filter section)
*filter
:DOCKER-USER - [0:0]
-A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
-A DOCKER-USER -s 127.0.0.0/8 -j RETURN
-A DOCKER-USER -s 10.0.0.0/8 -j RETURN
-A DOCKER-USER -s 172.16.0.0/12 -j RETURN
-A DOCKER-USER -s 192.168.0.0/16 -j RETURN
-A DOCKER-USER -s 100.64.0.0/10 -j RETURN
-A DOCKER-USER -i eth0 -p tcp --dport 80 -j RETURN
-A DOCKER-USER -i eth0 -p tcp --dport 443 -j RETURN
-A DOCKER-USER -i eth0 -j DROP
-A DOCKER-USER -j RETURN
COMMIT
```
IPv6 has separate tables. Add a matching policy in `/etc/ufw/after6.rules` if
Docker IPv6 is enabled.
Quick validation after reload:
```bash
ufw reload
iptables -S DOCKER-USER
ip6tables -S DOCKER-USER
nmap -sT -p 1-65535 <public-ip> --open
```
Expected external ports should be only what you intentionally expose (for most
setups: SSH + your reverse proxy ports).
### 0.4.2) mDNS/Bonjour discovery (information disclosure)
The Gateway broadcasts its presence via mDNS (`_openclaw-gw._tcp` on port 5353) for local device discovery. In full mode, this includes TXT records that may expose operational details:

3
docs/install/docker.md
View File

@@ -28,6 +28,9 @@ Sandboxing details: [Sandboxing](/gateway/sandboxing)
- Docker Desktop (or Docker Engine) + Docker Compose v2
- At least 2 GB RAM for image build (`pnpm install` may be OOM-killed on 1 GB hosts with exit 137)
- Enough disk for images + logs
- If running on a VPS/public host, review
[Security hardening for network exposure](/gateway/security#04-network-exposure-bind--port--firewall),
especially Docker `DOCKER-USER` firewall policy.
## Containerized Gateway (Docker Compose)