Limiting the amount of open ports for a user-defined network


As read on the docker docs:

User-defined bridges provide better isolation and interoperability between containerized applications .

Containers connected to the same user-defined bridge network automatically expose all ports to each other, and no ports to the outside world.

How can I limit the number of open ports between containers on a user-defined bridge?
I’d like to only have a single (incoming) port open on a specific bridge. (For example only port 80 to bridge HTTP reverse proxies, or only port 53 as a DNS resolution bridge)

Kind regards,
Frederic Depuydt

If you realy want to lock down the incomming/outgoing messages for container to container traffic, you will need to setup a firewall inside your containers. Though, shouldn’t a container only execute the service you are interessted in, thus exposing the only opend port(s) in your container? Shouldn’t containers not supposed to interact with each other belong to distinct networks?

In the Kubernetes world this can be done with network policies. Though, there is not counterpart in the Swarm world.