LAN Access to Privileged Ports (<1024)

Expected behavior

I should be able to connect to a docker container bound to a privileged ports (<1024) from the local network (i.e. not from the host machine).

Actual behavior

Connection to privileged ports (<1024) from outside the host time out.

Steps to Reproduce

On my local machine (192.168.1.2) I create a container running on port 80:

docker run -p 80:80 -d --cap-add NET_BIND_SERVICE nginx

I can access this container through localhost:
$ curl --head --write-out '%{http_code}\n' localhost:80 HTTP/1.1 200 OK

But I get a timeout when trying to access this from another machine on the network (192.168.1.3):

$ curl --head --write-out '%{http_code}\n' 192.168.1.2:80 000 curl: (7) couldn't connect to host

If I repeat this but bind the docker container to a higher port the connection from the LAN works as expected.

docker run -p 8080:80 -d nginx

$ curl --head --write-out '%{http_code}\n' 192.168.1.2:8080 HTTP/1.1 200 OK

Information

Docker for Mac: version: mac-v1.11.2-beta15 OS X: version 10.11.5 (build: 15F34) logs: /tmp/20160613-094439.tar.gz failure: No error was detected [OK] docker-cli [OK] app [OK] menubar [OK] virtualization [OK] system [OK] osxfs [OK] db [OK] slirp [OK] moby-console [OK] logs [OK] vmnetd [OK] env [OK] moby [OK] driver.amd64-linux

An update on this issue:

After some more investigation I’ve found that this seems to be caused by the Application Firewall. If you disable the Firewall you can connect to containers running on privileged ports.

@diarmuidie is there a way to just add an allowing rule and not disable the whole firewall?