8:19 a.m.
Hello Christian,
We have been around and around on this topic as a team. The best
answer we could come up with is that by default, no binding would
"open" the host to external connections. Meaning, we would not punch a
hole in the firewall to allow ports. We feel that is the
user/administrater's responsibility.
On Tue, 2020-05-26 at 08:51 +0000, Felder, Christian wrote:
Hello,
I hope this message finds you guys well. I’ve a question regarding
CNI and podman run’s publish flag (-p).
When using podman run -p … DNAT rules in the forward chain are
automatically created for allowing traffic to the container/pod.
Unfortunately this bypasses the input chain which is usually used to
explicitly allowing external traffic for a specific service/port.
Using podman run -p … the port is world-wide accessible though.
One solution is to just bind to the loopback interface using -p
127.0.0.1:XXX:XXX which will ensure that the port is just available
on the
host system but on the other hand this does not allow using ssh
tunnelling for authorised external access.
What are best practices for having a container's/pod’s port exposed
to the host but having explicitly control whether this should be
accessible world-wide or not?
Just note I am using podman on CentOS 8 (podman-1.6.4-
4.module_el8.1.0+298+41f9343a.src.rpm)
Thanks in advance.
Christian
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io