🐛 Bug: Docker Integration not honoring TCP_IN and UDP_IN, and allowing all traffic to containers

[MatrixEvo]

CSF › Version

15.08

CSF › Release

Stable

System › OS

Linux

System › Distro & Version

Ubuntu 24.04.3 LTS

Control Panel › Name

Generic (None)

Priority

High

Issue Description

When CSF Docker integration is enabled, inbound traffic to Docker-published ports is allowed regardless of TCP_IN and UDP_IN restrictions defined in csf.conf.

This effectively bypasses CSF’s inbound firewall policy and exposes Docker services to the internet, even when the ports are explicitly not allowed.

Steps To Reproduce

1. Install and configure CSF with Docker integration enabled:
   DOCKER = "1"
   and follow the steps in https://docs.configserver.dev/install/integrations/docker/?h=docker#setup

2. Edit bridge_user_subnets="172.17.0.0/16 172.18.0.1/16" within the integration csf post script

3. Ensure TCP_IN and UDP_IN do not include the test port.

4. Run a Docker container that publishes a port using docker compose

5. From an external host, connect to the published port:
   curl http://:8080

Logs › Lfd

Jan 4 18:37:25 150-95-25-194 lfd[4132]: Daemon started on 150-95-25-194 - csf v15.08 (generic)
Jan 4 18:37:25 150-95-25-194 lfd[4132]: WARNING Unable to send email reports - [/usr/sbin/sendmail] not found
Jan 4 18:37:25 150-95-25-194 lfd[4132]: LF_APACHE_ERRPORT: Set to [2]
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Restricting syslog/rsyslog socket acccess to group [mysyslog]...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: CSF Tracking...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: IPv6 Enabled...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Blocklist Tracking...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Country Code Lookups...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Exploit Tracking...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Temp to Perm Block Tracking...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: RESTRICT_SYSLOG: Unix socket permissions reapplied. Reopening log files...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/apache2/error.log...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/secure...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/messages...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/customlog...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/syslog...
Jan 4 18:37:25 150-95-25-194 lfd[4132]: Watching /var/log/auth.log...

Config › csf.conf

TESTING = "0"
TCP_IN = "22"
UDP_IN = ""
DOCKER = "1"

Screenshots

root@server:/usr/local/include/csf/post.d# ./docker.sh --list

                       Container       Name                        Shell       IP              IfLink ID          Veth Adapter    Network Mode    Network List
                       7fc22fe22ab6    nginx-proxy-manager-...     bash        172.18.0.2      6                  vetha5268ed     nginx-proxy-manage...    [1] nginx-proxy-manager_default
                        ├── BRIDGE     br-7892cd916035
                        └── IP         172.18.0.2