mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-16 06:08:33 -05:00
[GH-ISSUE #3222] Licensing error when UFW enabled #32404
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @c-dethys on GitHub (Jun 4, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/3222
Describe the Bug
Hello,
On a brand new VPS, I enabled UFW as a security default. I added the rules required in the documentation.
UFW status:
First error: unable to install Pangolin, with the installer, when UFW is enabled. It works when I disable it.
Second error: Unable to add a licence key with UFW enabled. It works when I disable it. Once the licence key is valid, I can re-enable UFW and it works like a charm.
But in the case of a restart of the container, the licence is lost and I have to disable UFW, reload the licence key, re-enble UFW.
Logs from Pangolin container:
Environment
To Reproduce
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 51820/udp
sudo ufw allow 21820/udp
sudo ufw enable
sudo ./installer > follow the installation
Expected Behavior
The installation of Pangolin
@AstralDestiny commented on GitHub (Jun 4, 2026):
Curious why you have ufw? It's not like it can stop docker traffic as it operates late in the iptables, At most it can tamper with outbound or docker isolation chains. Ufw for additional context inserts it's rule way too late in iptables to be really effective you want your iptables to be early and if you want to filter a container host you insert it into the docker-user chain or just don't ask docker to open ports if you don't ask it won't write iptable entries.
@AstralDestiny commented on GitHub (Jun 4, 2026):
Like docker will never open a port unless you explicitly ask docker to do so, Docs in ufw saying docker bypasses ufw is not correct it's just a lazy documentation, Think of the host like a nightclub, docker's rules sit infront of the nightclub(host) and ufw inserts it's rules lower down say near the bar area, Well people are already in the nightclub even if ufw is screaming no, I wouldn't really view ufw as a security thing it's a conveince script that will bite you for heavy traffic.
Say you have postgres, It's within a container don't add ports, It's still reachable by other containers but docker hasn't been told "Hey make an iptable entry for me that opens 0.0.0.0:5432 on the host's firewall and route this down to the container for me"