It seems that Docker forwards traffic on all ports opened inside containers on all interfaces. For instance, I have a webserver running on port 8000 inside a container, and it is reachable from the entire local network. Is there an option to make containers only reachable from localhost?

When the firewall dialog came up I denied it access, but that doesn’t help.

So far I have noticed, that with the firewall on, privileged ports (those below 1024) are not remotely accessible. the other option is to do -p 127.0.0.1:8000:8000

It seems you’re right, and it also seems that it is not a Docker for Mac problem. Reading the docker compose docs again I now see what I did wrong. Without specifying a host it just binds to whatever port on 0.0.0.0, so instead I of specifying the port as “8000:8000” I known have it listed as “127.0.0.1:8000:8000” and that works.