The original post: /r/selfhosted by /u/emch2 on 2024-10-06 15:50:48.

Hi everyone,

I’m usually more of a reader here, but I’ve been thinking about a network security issue and thought it might be helpful to get some advice. I’m trying to enhance the security of my network, particularly to protect it in the event that a Docker container is compromised.

Here’s my setup: I use Portainer, and each Docker Compose stack has its own network, in addition to a shared network that connects the frontend components to Traefik. As a result, Traefik has access to numerous networks. Everything is running on Proxmox and I use Unify Cloud Gateway Max as a router and to separate networks.

While having separate Docker networks for each stack adds some security, they can still access my local network VLAN dedicated to services. I’ve already segmented my network into different VLANs for guests, LAN, services, IoT, VMs, and privileged access.

I’m considering a few options:

  1. Macvlan: Create a separate subnet for Docker stacks, or ideally, for each individual Docker stack. This seems like a comprehensive solution, though potentially labor-intensive. However, since I’m using a UniFi environment, the firewall and VLANs are relatively user-friendly.
  2. Firewall Rules on Docker Host: This is something I’ve been hesitant about, due to perceived complexity. However, it might mitigate the risk of Traefik being compromised. If an attacker gains access to Traefik, they could potentially access all Docker containers, since each stack is networked with Traefik. I could set rules to allow only necessary connections from Traefik to containers.
  3. Proxmox Software Defined Network: I was thinking using Macvlan + Proxmox SDN. But it feels like it is the same as 1 but in Proxmox directly.
  4. Other Solutions: I’m open to suggestions. Is there a simpler, more user-friendly solution that allows for easy monitoring and management of container connections? Ideally, a solution with a user interface for managing connection permissions would be great.

Currently, I’m using Tailscale and Cloudflare Tunnels, but I plan to open up more access for friends and possibly the public internet. Am I overthinking this, or are there best practices I should follow to secure my setup?

How are you managing this kind of network security? Any advice would be greatly appreciated!

Thanks!