You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A convenient way of preventing containers on a VPS from being unnecessarily exposed to the internet due to Docker's IPtables rules bypassing the system firewall, is that you can map the container port to 127.0.0.1:[host port] rather than just giving docker a host port number. The latter leads to it being mapped to 0.0.0.0.[host port], which is then exposed to the internet.
However, in Yacht, this does not seem to work correctly.
E.g. adding 127.0.0.1:8083 in the host port field results in the container being mapped to 32769 for some reason. See screenshots below.
Entering the port:
The resulting container running on the wrong port, and still exposed to the internet:
OS: Ubuntu on host machine
Browser: Firefox
Yacht Version: v0.0.7-alpha-2023-01-12--05
The text was updated successfully, but these errors were encountered:
Because generally 127.0.0.1 refers to the windows loop back pointing back to the windows system not docker.
However when you put that in docker, and a container the container is running a mini os inside it's self. So technically it's if the container has 127.0.0.1, then it points to it's self, but it you use it then it's pointing back to what windows host. You have to remember you treat docker containers like they are other mini VMs on another network. Because they kinda are....
127.0.0.1 is indeed the IP address of the host's loopback interface, which is not exposed to the outside world.
0.0.0.0 is the host's IP address for ALL network interfaces, including whatever interface is exposed to the outside world.
When mapping ports from container to host, if you only provide a port number, then Docker automatically maps the container 's port to that port the host's 0.0.0.0 interface, meaning that your container port is directly exposed to all other interfaces, and therefore also to the outside world. This is a security concern.
However, it is possible with docker to map a container port to the host's loopback address only, by prepending the host port number with 127.0.0.1. This way the container's port is still available to anything on the host system, but is not exposed to the outside world.
It may not be nest practice, but it is a nifty way of keeping your services available on localhost, so you can easily access them for other services on that machine, while not exposing them to the internet.
Also, it's worth pointing out that this already works in Docker CLI, Docker Compose and Portainer.
A convenient way of preventing containers on a VPS from being unnecessarily exposed to the internet due to Docker's IPtables rules bypassing the system firewall, is that you can map the container port to 127.0.0.1:[host port] rather than just giving docker a host port number. The latter leads to it being mapped to 0.0.0.0.[host port], which is then exposed to the internet.
However, in Yacht, this does not seem to work correctly.
E.g. adding 127.0.0.1:8083 in the host port field results in the container being mapped to 32769 for some reason. See screenshots below.
Entering the port:
The resulting container running on the wrong port, and still exposed to the internet:
The text was updated successfully, but these errors were encountered: