Block raw network access for a container

docker-compose.offline.yml

services:
  web:
    cap_drop:
      - NET_RAW

Issue:

A containerised Drupal service – or any web service – running in an offline or restricted environment should not be able to send raw network packets. By default, Docker grants containers the NET_RAW Linux capability, which allows tools like ping and arping to craft raw IP packets. This is unnecessary for a web container and increases the attack surface.

Solution:

You can add this to your docker-compose.yml for any service ('web' is our example here) to prevent it from reaching the internet. This can be useful to isolate a potentially unsafe project for an audit for example.

Zurück zur DevBit-Übersicht