From 8d9f59ce1d7f8295faed33e48ee573a58e9250e8 Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Thu, 1 May 2025 10:59:07 +0100 Subject: [PATCH 1/2] Update warning about ports published to 127.0.0.1 Fixed in 28.0.0 - aligning with packet-filtering-firewalls.md. Signed-off-by: Rob Murray --- content/manuals/engine/network/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/manuals/engine/network/_index.md b/content/manuals/engine/network/_index.md index 048834851b..97583dfe8a 100644 --- a/content/manuals/engine/network/_index.md +++ b/content/manuals/engine/network/_index.md @@ -160,8 +160,8 @@ Here are some examples: > > > [!WARNING] > > -> > Hosts within the same L2 segment (for example, hosts connected to the same -> > network switch) can reach ports published to localhost. +> > In releases older than 28.0.0, hosts within the same L2 segment (for example, +> > hosts connected to the same network switch) can reach ports published to localhost. > > For more information, see > > [moby/moby#45610](https://github.com/moby/moby/issues/45610) From 942475214bb055e6c42aeaa9d81a99aa8cf77f4b Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Wed, 7 May 2025 14:54:40 +0100 Subject: [PATCH 2/2] Update text about direct routing Since 28.0.0, direct access to container ports from outside the host has been blocked. Signed-off-by: Rob Murray --- .../manuals/engine/network/packet-filtering-firewalls.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/manuals/engine/network/packet-filtering-firewalls.md b/content/manuals/engine/network/packet-filtering-firewalls.md index cc935a2eba..99f28b38df 100644 --- a/content/manuals/engine/network/packet-filtering-firewalls.md +++ b/content/manuals/engine/network/packet-filtering-firewalls.md @@ -234,14 +234,14 @@ $ docker run --network=mynet -p 8080:80 myimage ``` Then: -- Only container port 80 will be open, for IPv4 and IPv6. It is accessible - from anywhere, if there is routing to the container's address, and access - is not blocked by the host's firewall. +- Only container port 80 will be open, for IPv4 and IPv6. - For IPv6, using `routed` mode, port 80 will be open on the container's IP address. Port 8080 will not be opened on the host's IP addresses, and outgoing packets will use the container's IP address. - For IPv4, using the default `nat` mode, the container's port 80 will be - accessible via port 8080 on the host's IP addresses, as well as directly. + accessible via port 8080 on the host's IP addresses, as well as directly + from within the Docker host. But, container port 80 cannot be accessed + directly from outside the host. Connections originating from the container will masquerade, using the host's IP address.