Docker Community Forums

Share and learn in the Docker community.

LAN Access to Privileged Ports (<1024)


(Diarmuid) #1

Expected behavior

I should be able to connect to a docker container bound to a privileged ports (<1024) from the local network (i.e. not from the host machine).

Actual behavior

Connection to privileged ports (<1024) from outside the host time out.

Steps to Reproduce

On my local machine (192.168.1.2) I create a container running on port 80:

docker run -p 80:80 -d --cap-add NET_BIND_SERVICE nginx

I can access this container through localhost:
$ curl --head --write-out '%{http_code}\n' localhost:80 HTTP/1.1 200 OK

But I get a timeout when trying to access this from another machine on the network (192.168.1.3):

$ curl --head --write-out '%{http_code}\n' 192.168.1.2:80 000 curl: (7) couldn't connect to host

If I repeat this but bind the docker container to a higher port the connection from the LAN works as expected.

docker run -p 8080:80 -d nginx

$ curl --head --write-out '%{http_code}\n' 192.168.1.2:8080 HTTP/1.1 200 OK

Information

Docker for Mac: version: mac-v1.11.2-beta15 OS X: version 10.11.5 (build: 15F34) logs: /tmp/20160613-094439.tar.gz failure: No error was detected [OK] docker-cli [OK] app [OK] menubar [OK] virtualization [OK] system [OK] osxfs [OK] db [OK] slirp [OK] moby-console [OK] logs [OK] vmnetd [OK] env [OK] moby [OK] driver.amd64-linux


Docker doesn't play nice with OSX Application Firewall
Configuring macOS Application Firewall to allow LAN access to container exposing port 80
(Diarmuid) #2

An update on this issue:

After some more investigation I’ve found that this seems to be caused by the Application Firewall. If you disable the Firewall you can connect to containers running on privileged ports.


(Lephleg) #3

@diarmuidie is there a way to just add an allowing rule and not disable the whole firewall?