Integration with UCS/Firewall

From Univention Wiki

Jump to: navigation, search

In the default setting, all incoming ports are blocked by the UCS firewall. univention-firewall is a set of rules for iptables.

The Firewall for Docker Apps

Docker Containers have access to the Docker Host and the outside world via these variables in the ini file:


This will make port 9900 and port 80 of the Docker Container available on the Docker Host and for external clients. Port 80 inside the container is accessible as port 9911 outside!

This will also build up an implicit conflict list against other Apps that want to use these ports!


As described in Integration with UCS/Database, the ports for MySQL and Postgres are opened for the Docker Container automatically if specified in the ini file.

Web interface

A web interface on port, say, 8080, needs to be specified in the ini file:


Configuring the Firewall

Every App can provide rules, which free up the ports required. In this example the port 6644 is opened for TCP and UDP. It in the join script:

univention-config-registry set \
	security/packetfilter/package/"$APP"/tcp/6644/all="ACCEPT" \
	security/packetfilter/package/"$APP"/tcp/6644/all/en="$APP" \
	security/packetfilter/package/"$APP"/udp/6644/all="ACCEPT" \
[ -x "/etc/init.d/univention-firewall" ] &&
	invoke-rc.d univention-firewall restart
Personal tools