Is it safe to expose docker container to the internet? Deluge- To seed

[jang430]

Hi.  I use a Sophos firewall at home.  For the longest time, I've been using Deluge Docker container, and was able to download, but never able to seed, due to my Sophos firewall port being closed.  I finally got it to work yesterday.  Test form outside canyouseeme shows the port is open.  

 

In my Sophos XG firewall, I created a Dnat rule - source, network both set to any.  Service is UDP, source port is 1:65535, destination port is still 1:65535 forwarded to nas IP address, Deluge port 8112.  

 

Right now, I can see that my deluge is finally seeding.  But when I check with canyouseeme, it shows whatever port I type in, from 1 to 65535, it says port open.  

 

Is this correct?  Wondering if this is safe.  Anyone has experience regarding this?  

[Herdo]

35 minutes ago, jang430 said:

Hi.  I use a Sophos firewall at home.  For the longest time, I've been using Deluge Docker container, and was able to download, but never able to seed, due to my Sophos firewall port being closed.  I finally got it to work yesterday.  Test form outside canyouseeme shows the port is open.  

 

In my Sophos XG firewall, I created a Dnat rule - source, network both set to any.  Service is UDP, source port is 1:65535, destination port is still 1:65535 forwarded to nas IP address, Deluge port 8112.  

 

Right now, I can see that my deluge is finally seeding.  But when I check with canyouseeme, it shows whatever port I type in, from 1 to 65535, it says port open.  

 

Is this correct?  Wondering if this is safe.  Anyone has experience regarding this?  

Exposing a docker container to the internet isn't any less safe than simply exposing Deluge to the internet through an open port.

 

That being said, no that's not correct.  You do not want to open every port to the internet.  In Deluge select a port (or range of ports if you prefer, maybe like 5 -1 0) and open those.  Then ensure nothing else will use those ports.

 

What you've essentially done is told your router to accept all/any traffic from anywhere and forward it to your unRAID box. This is very bad.

 

You want to fix that immediately.

 

EDIT: Also in case you weren't aware.  Ports 1 - 1024 are what are known as "well-known ports" and those should be avoided.  I'd just pick something in the 10s of thousands.

Edited September 3, 2019 by Herdo

[jang430]

Do you mean change this part?

 

Service is UDP, source port is 1:65535, destination port is still 1:65535

 

I remember trying to narrow the ports down, e.g. 1:20 source port, 1:20 destination port.  I remember it showing not open.  Not sure about this.  

[jang430]

@Herdo, although I don't want to open up ports, due to seeding requirements for torrent, I have to open a few ports.  Noted on the known ports.  So anything that is random is better.  I suppose instead of doing source 1:65536 destination 1:65535, I change it to source 22xxx:22xxx and destination of 22xxx:22xxx, that will work?  That's all it takes?

[Herdo]

Yes. I'm just saying, limit the scope of exposed ports. If I understood your post correctly, you essentially opened every port on your router from 1 - 65535.

 

Instead, designate one port. So src port 34854 - 34854 and dst port 34854 - 34854, as an example.

 

Then on deluge do the same. Change it from "use random port" to 34854 as you did in your router.

 

Again, that is just a random port I'm using as an example. You can set it to whatever you want.

[jang430]

I think the source port should be 1:65535? I've narrowed the destination port to 10 ports only. E.g. Xxx10-xxx19.

Can anyone confirm if deluge requires more than 1 port for outbound? It shows 2 fields in the ap, signifying a range rather than just a port. In inbound, it only shows a field.


Sent from my iPhone using Tapatalk