diff --git a/README.md b/README.md index a20d100..70a6fbf 100644 --- a/README.md +++ b/README.md @@ -20,14 +20,19 @@ You can define rules per container using specific Docker labels: | **Label Key** | **Description** | **Default** | |----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|-------------| | `magicfw.firewall.allow_icc` | Enables communication between the container and other containers on different Docker networks (not normally possible in Docker environments). | `false` | -| `magicfw.firewall.allow_external` | Enables access to external networks (e.g., the internet) for the container. | `false` | +| `magicfw.firewall.allow_external` | Enables access from external networks (e.g., the internet) for the container. | `false` | ### Behavior and Functionalities - **Allow ICC (Inter-Container Communication):** When `magicfw.firewall.allow_icc` is `true`, the container can communicate with other containers across **different Docker networks** (useful for applications like reverse proxies such as Traefik). If `false`, the container is isolated from other Docker networks (default Docker behavior). -- **External Traffic:** When `magicfw.firewall.allow_external` is `true`, the container's network rules allow communication with external IPs. +- **External Traffic:** When `magicfw.firewall.allow_external` is `true`, the container's network rules allow communication from external networks (useful when NAT is disabled). - **Automatic Rule Cleanup:** When a container is restarted, stopped, or removed, the corresponding firewall rules are automatically cleaned. - **Support for Published Ports:** Rules are auto-generated for any published ports, restricting incoming traffic to only the ports explicitly exposed via Docker. +## Install +To make the installation easy, I provide a package for Debian-based distros, follow the instructions here: [https://git.marcorealacci.me/marcorealacci/-/packages/debian/magicfw-docker](https://git.marcorealacci.me/marcorealacci/-/packages/debian/magicfw-docker) + +To install the script manually, the required dependencies are `python3` and the `docker` library available from PyPI (`pip3 install docker`). + ## Configuration ### Environment Variables @@ -56,13 +61,11 @@ services: labels: magicfw.firewall.allow_icc: "true" magicfw.firewall.allow_external: "true" - ports: - - 8080:80 ``` In the above example: - The `web` container can communicate with other containers on different Docker networks (`magicfw.firewall.allow_icc: true`). -- The container can be accessed by external hosts using the container's IP (`magicfw.firewall.allow_external: true`). +- The container can be accessed by external hosts using the container's IP (**not host IP!**) (`magicfw.firewall.allow_external: true`). This requires a route on other hosts or the router. #### Example 2 ```yaml @@ -92,7 +95,7 @@ services: In the above example: - The `web` container can communicate with other containers on different Docker networks (`magicfw.firewall.allow_icc: true`). -- External hosts can access the container via both :80 and :8080 (port mapping still works even with DISABLE_NAT) +- External hosts can access the container via both :80 and :8080 (port mapping still works even with `DISABLE_NAT` set to `true`, as only Source NAT will be disabled) - External hosts will not be able to access the container on ports other than 80 ---