DEV Community

Discussion on: Be careful with Docker ports!

Collapse
jannikwempe profile image
Jannik Wempe

Hey Kevin, thanks for the infos :-)
I am not quite sure if I am right, but maybe you should use "expose" instead of "ports".

From the docs:
Expose ports without publishing them to the host machine - they’ll only be accessible to linked services. Only the internal port can be specified.

Nevertheless, I didn't know that docker is somehow bypassing the firewall if a port is exposed to the host.

Collapse
jannikwempe profile image
Jannik Wempe

Ah okay, I get it. Thanks for your explanations. Just thought the proxy would be in the same docker network.

Collapse
kovah profile image
Kevin Woblick Author

Absolutely. Using expose, or no port binding at all, is the safer approach. Unfortunately this does not work if you want to expose ports via proxy, which was the case for me. :(

Collapse
exadra37 profile image
Paulo Renato

When you use 9200:9200 you are indeed using 0.0.0.0:9200:127.0.1:9200 and this a design flaw in docker, because 0.0.0.0 will expose you to the host and to world.

Regarding expose I think is only their for backward compatibility with the deprecated option --links in order to allow inter container communication inside the docker network, not for communication with the machine hosting the docker engine.

Here the use case is to really expose to the host what its running inside the container, thus it really need to use ports, but always with the prefix 127.0.0.1.

Collapse
rendlerdenis profile image
Denis Rendler

Docker is NOT bypassing the firewall. It creates rules inside the kernel to redirect traffic that comes to the host, from the hosts specific port to the app inside the container. As such, these rules are validated before your filter rules because the routing is done before the kernel starts checking the filter table rules. As such, if the container responds to the packet saying "it is for me" the kernel then says "handle it" and moves on to the next packet. Otherwise it goes on to check the other rules until either one matches or uses the default action - which on most Linux OSs is ALLOW.