On a Debian server (bookworm) I set up nftables and some sets of allowed IPv4 CIDR elements (downloaded from http://ipdeny.com. It means that my firewall allows access from some pre-defined countries only and denies access from all the other countries, thus protecting the server as much as possible.
To allow for updating / upgrading Debian and related software I defined another NFT set ("extra set") which contains CIDR entries for e.g. debian.org, docker.com, etc. These CIDR entries have been manually collected and entered after analyzing failing IPv4 addresses (due to above mentioned country-specific sets), checking the CIDR line in the output of "whois". This procedure is worth doing so if the total amount of specifying these "special" CIDR entries is "small".
It turned out that for docker.com, its IPv4 address is ALWAYS changing, and consequently the CIDR change, too. Whois always tells me that the IPv4 addresses belong to Amazon. To allow for updating / upgrading I have to add the "new" docker.com-related CIDR entries and restart nftables. And endless story.
No objections against Amazon, however, I would prefer a SINGLE CIDR entry for docker.com, thus keeping the "extra set" as small as possible and keep the overall effort for maintaining the "extra set" small, too.
Could somebody give me a hint as how to restrict "docker.com" to a single permanent CIDR entry? (I understand the concept of DNS which resolves a URL like "docker.com" to an IPv4 address (and further via "whois" to a CIDR entry).
I wonder why docker.com neglects security issues by "offering" many, many different IPv4 addresses for "docker.com". Or is security (in the "brave new world" [Aldous Huxley]) not an important issue any more?
Best regards Dieter
Unfortunately one can try nothing to circumvent this behavior.
What do I expect?
- I expect a SINGLE permanent CIDR entry for docker.com.
- This CIDR entry should NOT point to commercial companies like Amazon etc. (as it does now)
You're not going to get one.
Amazon provides Docker's hosting services and IPs. Many of Amazon's load-balancing, CDN and multi-region features rely on the ability to swap IPs in and out, sometimes frequently. (In this specific case, hub.docker.com appears to use what AWS calls an Elastic Load Balancer.)
HTTPS is the security fix here, not a static IP address.