GP Container Firewall

Measure	Detail
Dedicated proxy network	`gp-proxy` - only nginx-proxy and gp, isolated from other app containers
Dedicated DB network	`gp-database` - only gp and gpdb
Read-only webroot	`/data/SitoGpea2012:/var/www/html:ro`
No outbound internet	iptables DROP rules in DOCKER-USER chain
No host ports	Accessed only via reverse proxy
No privileged mode	Standard container capabilities

¶ GP Container Firewall Rules