Privacy/security with containers and ports?

I’m not very knowledgeable on the networking side of things, so apologies if this is stupid.

I basically want to run everything on the LAN and keep it “hidden” from the internet so as not to create any additional security risks.

Some context:
I’m planning on running Jellyfin and Mealie (a recipe manager, for those curious) on an old desktop repurposed as a server (running Ubuntu Desktop, it has a address let’s say).
I have no desire to access them from outside the house, or to allow anyone else access from outside the house.
The port forwarding tab in the router settings page does not have any ports listed.

Now, the docs state:

Use the --publish or -p flag to make a port available to services outside of Docker.

I’m not clear on what this means exactly. The Mealie docs (for example) say to publish port 9925:80, which I’m assuming is required in order to connect with something like a tablet. But later in the Docker docs it states:

Publishing container ports is insecure by default. Meaning, when you publish a container’s ports it becomes available not only to the Docker host, but to the outside world as well.

This seems paradoxical to my goal. Would using “-p” solve this issue? Or is there some better way to go about this? Like I said, I just want everything to run locally.


I haven’t checked the documentation, but without the context the quotes statements are indeed confusing. Let me clarify it.

“outside of Docker” without Docker Desktop would be more appropriate as “outside of the container”. In your case it was mentioned in Docker Desktop so it seems Docker Desktop confirms an actually incorrect assumption that Docker Desktop is Docker itself. It is not. Docker Desktop is a GUI, a virtual machine and Docker CE among other components in the virtual machine. So in case of Docker Desktop it is true, that if you don’t publish a port, it will be available only from inside the container or from the virtual machine outside the container can’t normally “be” in the virtual machine outside of a container. The ip addresses of the containers in the VM will not be accessible from the host.

The second quote means if you just publish a port without binding that to a specific IP address, for example local IP address , requests will be forwarded from all of the host’s ip addresses to the chosen container port inside the virtual machine. If one of the ports is WAN ip address there is a chance you will make the port available to anyone coming from the internet, unless there is a firewall to prevent it. So it alll depends on which host you are on, what IP addresses that host have, what firewall you have and how that is configured.

Yes. If you want to be absolutely sure that the port is not available from the internet, you need to specify the ip address exactly how you quoted. If you really want to run it only from your local machine, you can use instead of your LAN ip address.

Thank you rimelek, I think I’m beginning to see the light!

I’m just using the Docker Engine and Compose. Does this change anything regarding the use of:



It looks like I have some learning to do.

The quoted code was for docker run, not Docker Compose which has a “ports” section