Even that’s part of the confusion!
UFW isn’t part of the stack. UFW is just a front-end for configuring iptables. Docker will also interact with iptables to set up its networking.
The numerous Internet complaints about Docker “bypassing” UFW, or the “Docker + UFW security flaw”, are a misunderstanding of the Linux network security stack.
Which 100% confirms your point.
Volts,
Thank you for correcting my terminology:
I used UFW in the context of the unified solution in the same way I use “Docker” to include the S6-executive which manages the processes within that container and establishes all the linkages to the outside world.
You’re showing your age there, old man. ipchains is out at the bar drinking well-aged whisky. 
I follow your point. And my point isn’t to correct the terms, but truly to agree with you that it’s complicated. It’s easy to build a functional-but-imperfect mental approximation of how the systems work.
It’s reasonable to expect that UFW rules will apply. It’s wrong, because that’s not the whole story. But it’s not a bug in the system - there’s nothing wrong with UFW.
Obviously Plex shouldn’t amplify UDP packets, and of course people expect it to be secure by default. So of course Plex should provide an update.
Equally obviously, people should use network firewalls, and shouldn’t expose unnecessary hosts or services to the Internet. So of course safe behavior should be encouraged.
They’re both important. One doesn’t replace the other, because they’ll both always be imperfect.
I think Plex has struck a reasonable balance already - it’s easy to do common things securely, and it’s possible to do uncommon things. It’s reasonable to expect more expertise and responsibility for the uncommon things.
Volts,
Friendly counterpoint?
Let’s assume I make cars for a living.
You keep crashing the cars you buy from me into telephone poles.
Is there something wrong with how I make the cars? 
Taking that point to the extreme, if you will forgive me (i mean no disrespect),
How many legal disclaimers are required?
How many times must the terms of service be presented?
I really do not wish to get drawn into a legal discussion. I’d prefer this stay at the friendly technical level of “How to provide the best solution to all ?”
Thanks. I will forward anyway but it sounds like Engineering & Product have already been notified.
I had a minor CVE once when developing the new Debian installer scripting.
I was notified extremely quickly of it (within hours of discovery, our Engineering folks had notified me).
I was fortunate in that I could immediately effect a change which closed the vulnerability.
That was the first time, in all my years develping , one got out. SCARY.
Friendly is assumed. 
Nope, nothing’s wrong with how you make the cars.
But I LOVE that analogy. Cars have gotten significantly safer.
If I crash into a pole, it’s my fault. I was going too fast for the conditions, and didn’t maintain safe control.
But my car has ABS, and stability assistance, and lane departure warnings, and blindspot monitoring, and speed limit warnings, and temperature alerts, and very good tires, and pre-collision braking.
It doesn’t drive for me, or stop me from crashing. But it gives me every possible advantage.
But you still drove into the pole?
Are you insane?
What did you do wrong? Drive with the doors open ?
(you like Volvos, huh? 
)
Perhaps a deer jumped in front of the car. Perhaps I was surprised by a flat tire.
I appreciate that the car makes it harder to drive into a pole, unless it’s deliberate. I’ll be very annoyed when I want to drive into a pole … and the car doesn’t allow me to do it.
There’s no way Plex can prevent people from deploying it “incorrectly” without also making it impossible to do reasonable things. I’m already annoyed by the baked-in private/RFC1918 restrictions.
But of course Plex is fixing the UDP amplification issue, even though it “should never” be configured that way.
I have one thing to say – Yes, you’ll cringe
All this fuss about firewalls and Docker and that folks aren’t coddled.
If folks want to be coddled, prevented from doing things which are known unsafe,
– go back to Windows. (Last I looked, Docker doesn’t run there )
All this codding is blocking what I know Linux can do for me. – Prime example. Turning off SSH tunnel ? SERIOUSLY? WTF DOC? (ssh -L xxxx:127.0.0.1:32400 ip.addr.of.host)
Did. They. Tell. Plex?
No. Just posting it online isn’t notifying the developer. God you’re thick…
I forwarded it in our Security room the moment it was posted.
Plex has staff around the world.
I’m waiting for someone, in the right timezone, to confirm “Yes, it was received”.
OFFICIAL REPLY:
This is why I like it when my car prevents me from driving into a wall or the rear end of the car in front of me
Oh, of course it does.
… but the networking semantics are quite different from Linux.
Good thing I only do two things with Windows: Wash, and Break.
Neat, genuinely.
That’s kinda my point. There’s no way to provide notice that somebody may have an incorrect assumption about how things work.
Docker doesn’t override the rules created by UFW. That’s not the correct model for how the system works.
The Docker documentation is pretty clear about what it does with networking and how it interacts with iptables.
The UFW documentation is also pretty clear about how it interacts with iptables.
What’s a reasonable expectation of familiarity before operating a complicated system?
What I am saying is Netscout likely first learned about the plex server issue a few days ago, after the issue was already public for a month. “Responsible disclosure” is moot at this point.
So this only confirms exactly what I said. Thank you! That it was not disclosed to them prior to publication.
mod edit: keep it civil please
Really no need to be calling him that and also it goes against the forum TOS man. No reason you can’t stay civil in your responses.
-Shark2k
