Docker spesifically creates rules for itself which are by default open to everyone. UFW (and underlying eftables/iptables) just does as it’s told by the system root (via docker). I can’t really blame the system when it does what it’s told to do and it’s been administrators job to manage that in a reasonable way since forever.

And (not related to linux or docker in any way) there’s still big commercial software which highly paid consultants install and the very first thing they do is to turn the firewall off…

This actually is a really good idea.

Yes, for the reasons you mention. And very, very much no. My corporate hat immediately thinks about a crapload of stuff our network drives have which is under various NDAs, restrictions to store outside EU/ETA, restrictions to store even outside our country and so on. At least our accounts have mandatory MFA and other standard safety features, but cloud storage has a different threat model than our local hardware which also makes it’s own little headaches.

I don’t play on the contract/legal field on corporate at all, but I do know that some of those NDAs have numbers big enough to bring the whole circus down and other clauses which can even throw someone in jail if things really go wrong. I just hope I’m not the scapegoat at that point.

There’s plenty DIY projects around the net with various raspberry models. You just need some knowledge, preferably access to a 3D printer, an soldering iron, some tools and other bits and bobs. It’s definetly doable, but I can understand if someone prefers to throw some money on the table and get one pre-built.

VPN, Tor (and similar, like I2P), every imaginable P2P network, proxies, all non-http protocols (smtp, ftp, nntp, xmpp and other instant messengers and so on) can all transfer any kind of data, porn included. And a ton of other things. Heck, I’m quite sure there’s a minecraft mod where you can assemble JPG-images out of the blocks and view them that way. And then you can use stuff like uuencode where you can use anything that can move plain text to transfer binary data.

There’s no way to block all of that unless you shut the whole internet down. And even then you can still trade good old playboy-magazines with your friends. VPN in itself has very little to do with the actual problem, beyond that someone apparently noticed that their current “save-the-children” iteration had pretty large holes in it.

If they were really after kids watching porn (or even porn in general) it would be technically somewhat simple to force ISPs to provide filters on their end as a subscription service. I’m pretty sure I’ve even heard that kind of services in the past. Make it even opt-out if you really want to.

That way ISPs would just ban everything from pornhub and others unless you spesifically want it allowed or even provide a portal where you could block reddit, twitter, tumblr or whatever you wish on your account. That kind of technology already exists and it’s used on many corporate setups.

There’s obviously ways around that, but there’s no technical way to block every possible way to move bits between computers. Even if they would shut down the whole internet there’s still ways to build mesh-networks or even buy USB-drives from a shady alley.

But as we all know, it’s not about porn and not about children.