3:51 a.m.
Hello,
I hope this message finds you guys well. I’ve a question regarding CNI and podman run’s
publish flag (-p).
When using podman run -p … DNAT rules in the forward chain are automatically created for
allowing traffic to the container/pod.
Unfortunately this bypasses the input chain which is usually used to explicitly allowing
external traffic for a specific service/port.
Using podman run -p … the port is world-wide accessible though.
One solution is to just bind to the loopback interface using -p 127.0.0.1:XXX:XXX which
will ensure that the port is just available on the
host system but on the other hand this does not allow using ssh tunnelling for authorised
external access.
What are best practices for having a container's/pod’s port exposed to the host but
having explicitly control whether this should be
accessible world-wide or not?
Just note I am using podman on CentOS 8
(podman-1.6.4-4.module_el8.1.0+298+41f9343a.src.rpm)
Thanks in advance.
Christian