I am toying around with Docker on OWRT, while the learning curve is steep, i come along and have now successfully running nginx (yeah, i am aware that there is a Owrt package), primarily as proxy and ycast, more to come.
There remain however questions regarding the firewall, which right now, i am a bit clueless about. The docker config tells me, that by default, docker ignores all firewall rules, following a firewall configuration. I thought, that would probably mean, that every rule regarding the wan interface would be somehow applied to the docker0 device.
However, docker opens Ports for all running services, in my case 80 and 443 for nginx (which is ok) but also 8181 for ycast, which I don't want to expose to the outside, it should only be available internal, through nginx, so I want that port blocked.
I tried by adding this rule to the firewall:
config rule
option src 'wan'
option dest_port '8181'
option target 'DROP'
option name 'Ycast Port'
But still, using online portscanner show that port as opened.
So, what am I doing wrong? Right now, I don't want to fix that on docker side, by either modifying my docker-compose files or completely disable fw rules there, but rather would like to know which rules I would have to apply to block port 8181 (and other in the future).