Discussion: Docker bridge networking breaks the node under ufw-docker
TL;DR
When the node runs in Docker bridge networking on a Linux host that has
ufw-docker installed and active, the node never connects to peers
(Handshake with the remote timed out → AllPeersFailed, stuck at height 0).
Root cause (verified live): ufw-docker installs a DOCKER-USER rule that
drops all inbound UDP to container IPs on destination ports 0–32767 (see why). The
node's QUIC endpoint is a single UDP socket bound to port 3000 that is used
for both listening and dialing peers, so the peers' reply packets come back
to the container on dport 3000 — inside that dropped range. The return path
dies and every handshake times out.
Root cause
The ufw-docker-managed block in /etc/ufw/after.rules contains:
-A DOCKER-USER -j ufw-user-forward
-A DOCKER-USER -j RETURN -s 10.0.0.0/8 # allow OUTBOUND from containers
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16
...
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8 # <-- drops
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12 # <-- inbound UDP
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16 # <-- to low ports
-A DOCKER-USER -j RETURN
- A normal container dials out from a high ephemeral source port (e.g. 50000),
so replies return to dport 50000 (> 32767) and are allowed.
- The node dials every peer from the fixed source port 3000 (QUIC uses one
endpoint socket for listen + dial), so replies return to dport 3000
(≤ 32767) → matched by the deny rule → dropped.
fixes
ufw-docker allow logos-node 3000/udp pins the
container's IP at the moment it is run. A reinstall or recreate that assigns the
container a different 172.x.x.x -> breakssudo ufw route allow proto udp to any port 3000 comment 'logos-node QUIC' might be more
suitable, but possibly too broad for someone. Should be fine if you're not exposing any
services.- Make host networking the Linux default (bridge as opt-in)
- Keep bridge, pin a static container IP + document one
ufw-docker allow
- Move the node's QUIC port above 32767
Discussion: Docker bridge networking breaks the node under
ufw-dockerTL;DR
When the node runs in Docker bridge networking on a Linux host that has
ufw-dockerinstalled and active, the node never connects to peers(
Handshake with the remote timed out→AllPeersFailed, stuck at height 0).Root cause (verified live):
ufw-dockerinstalls aDOCKER-USERrule thatdrops all inbound UDP to container IPs on destination ports
0–32767(see why). Thenode's QUIC endpoint is a single UDP socket bound to port 3000 that is used
for both listening and dialing peers, so the peers' reply packets come back
to the container on
dport 3000— inside that dropped range. The return pathdies and every handshake times out.
Root cause
The
ufw-docker-managed block in/etc/ufw/after.rulescontains:so replies return to
dport 50000(> 32767) and are allowed.endpoint socket for listen + dial), so replies return to
dport 3000(≤ 32767) → matched by the deny rule → dropped.
fixes
ufw-docker allow logos-node 3000/udppins thecontainer's IP at the moment it is run. A reinstall or recreate that assigns the
container a different
172.x.x.x-> breakssudo ufw route allow proto udp to any port 3000 comment 'logos-node QUIC'might be moresuitable, but possibly too broad for someone. Should be fine if you're not exposing any
services.
ufw-docker allow