Fluentd driver in swarm without exposing ports

I currently have a stack.yml like this:

version: '3.1'
services:
  app:
    ...
    logging:
      driver: fluentd
      options:
        tag: docker.manager.traefik

  fluentd:
    image: fluentd/fluentd-elastic
    environment:
      FLUENTD_CONF: 'fluentd.conf'
      FLUENTD_HOSTNAME: '{{.Node.Hostname}}'
      ELASTICSEARCH_URL: 'http://elasticsearch:9200'
    ports:
      - 24224:24224
      - 24224:24224/udp
    networks:
      - fek-stack
      - logging
    configs:
      - source: fluentd
        target: /fluentd/etc/fluentd.conf
    deploy:
      mode: global

Which I deploy using docker stack deploy -c stack.yml foo.

This works fine apart from it exposes the ports of fluentd on every machine meaning someone could potentially flood my logs?

What should I do?


Underlying cause

The driver uses the host network and not the apps network and thus why I need to expose the ports so that the driver can access fluentd over the host. But unfortunately you can’t tell fluentd to use the host network in a docker swarm so I have to expose it publicly (not just on the host)

Source: StackOverflow