Prefered networking for containers and SWAG


I would like to cleanup my home server and start to use SWAG.
I am using nextcloud, syncthing, home-assistant, unifi-controler as docker containers from LSIO. And nginx from linux distribution as reverse proxy now.

I decided setup separate rasperry pi 4 as test server where I would like to practice and learn how to deploy swag on my home server.

  1. I did create bridge network: sudo docker network create kontainers
  2. I am connecting each container to that network adding following lines at the end of docker-compose.yml
     name: kontainers
     external: true
  1. for example, configuration for home assistant is using network_mode: host
    I did commented that out because I dont need that and all my things are working

  2. SWAG, I did enable subdomain config for each service and did check if app name is same as container name.

question #1
all containers are on same network kontainers so they can ping each other. I think it is necessary for SWAG to access containers by name resolved from DNS.

  • is it ok from security point of view ?
  • is it docker way ?
  • or should I configure each container in separate network and connect SWAG to all networks ?

question #2
containers expose PORT for web gui, but I am connecting over SWAG using subdomain, so only SWAG needs to access container over that PORT.
I think that I can comment out that configuration from compose file. Is that correct?

question 3
I am using firewalld and it is not clear to me if I need to enable masquerade on public zone {there are two active zones, public and docker}.
for example: I have postgresql on host and nextcloud container is connecting it using host IP. So masquerade is necessary in this case. Or is there better way?

thank you for comments, ideas …

aha, I did forgot that docker is using iptables in background, so it manage all masquerade things itself …

so question #3 is not interesting anymore

just dont used firewalld with docker
maybe, but I did not find confirmation, you can change backend in firewalld config to used iptables instead nftables {which is default}

#0 Docker compose already create a new default network
#1 it is safe and you can usually secure access with a password
#2 you can leave the ports alone for local access, and open only 80/443 on your router for remote access via reverse proxy

Note :you will probably need to remove nginx from Linux before using Swag on the same web ports