Free browser-based DevOps audit tools โ no signup, nothing leaves your browser
Does Hetzner's cloud firewall protect Docker ports? What you need to know
| Layer | Where | Blocks Docker bypass? |
|---|---|---|
| Hetzner Cloud Firewall | Network level, before your server | โ Yes โ if configured |
| UFW (on-server) | Inside your server via iptables | โ No โ Docker bypasses UFW |
Hetzner's cloud firewall operates at the network level โ traffic never reaches your server if blocked. This means it does protect Docker-exposed ports, unlike UFW.
ALLOW TCP 22 # SSH ALLOW TCP 80 # HTTP ALLOW TCP 443 # HTTPS DENY ALL # Everything else (including Docker ports)
Even with a cloud firewall, bind database ports to localhost in your compose file. This protects you if the cloud firewall is ever misconfigured.
services:
db:
image: postgres:15
ports:
- "127.0.0.1:5432:5432" # localhost only โ double protection
If you're sending email from a Hetzner server, set a PTR record in the Hetzner Cloud console under Server โ Networking โ Primary IPv4 โ Edit PTR. This is required for good email deliverability.
Paste your docker-compose.yml and the Docker Auditor flags every 0.0.0.0 binding with the exact fix.
Open Docker Auditor โHetzner's default firewall blocks all inbound traffic. You explicitly allow what you need. Add UDP 51820 if running WireGuard VPN, UDP 53 if running a DNS server, and any other UDP ports your services require.
Yes โ defence in depth is recommended. Hetzner firewall as the outer layer, UFW for the inner layer. UFW won't help with Docker, but it adds protection for non-containerised services running directly on the host.
Yes. Hetzner's Ubuntu and Debian images support both UFW and nftables. nftables is the successor to iptables and is recommended for new installations. Use sudo nft list ruleset to inspect rules.