ConfigClarity

Free browser-based DevOps audit tools โ€” no signup, nothing leaves your browser

Home โ€บ Providers โ€บ DigitalOcean

DigitalOcean + Docker + UFW

Docker bypasses UFW on Droplets โ€” here's the complete fix

Important: UFW does not protect Docker ports on DigitalOcean Droplets. Docker writes directly to iptables, bypassing UFW's INPUT chain.

DigitalOcean Cloud Firewall (recommended)

DigitalOcean's Cloud Firewall operates at the network level, before traffic reaches your Droplet. It does block Docker-exposed ports.

โœ… DigitalOcean Cloud Firewall inbound rules 
SSH   TCP  22        Sources: your IP
HTTP  TCP  80        Sources: All IPv4, All IPv6
HTTPS TCP  443       Sources: All IPv4, All IPv6
# All other ports โ€” no rule = denied

On-Droplet fix โ€” bind to 127.0.0.1

services:
  redis:
    image: redis:7
    ports:
      - "127.0.0.1:6379:6379"
  postgres:
    image: postgres:15
    ports:
      - "127.0.0.1:5432:5432"

Verify your Droplet's exposure

# From another machine (or mobile data):
nmap -p 6379,5432,27017,3306 YOUR_DROPLET_IP

# All should show filtered or closed
# If any show open โ€” you have an exposure

Audit your compose file for port exposures

Open Docker Auditor โ†’

Frequently Asked Questions

Does DigitalOcean's managed database service avoid this problem?

Yes. DigitalOcean Managed Databases (PostgreSQL, Redis, MySQL) are not running on your Droplet and have their own firewall with trusted sources. If you use managed databases, the Docker UFW bypass only affects services you run yourself in containers.

Should I use UFW on a DigitalOcean Droplet?

Yes, as a defence-in-depth measure. DigitalOcean Cloud Firewall for network-level protection, UFW for on-server process-level rules. UFW won't help with Docker, but it protects non-containerised services. Use both.