vpnkit
vpnkit copied to clipboard
moby
With OSX firewall on, slirp is not allowing external connections to privileged ports
If I have the OS X firewall on and try to run, say, nginx on port 80, the port is not opened for external clients. If I run the same image opening 8080 it is fine. I have tried adding an exception for docker in System Preferences to no avail. If the firewall is off, privileged ports are accessible externally.
I can reproduce this.
If I open a privileged port with sudo nc -l 80 then a dialog pops up asking me to allow or deny incoming connections for the process. Since we're binding ports in the privileged helper process which won't have access to the screen/user session perhaps this mechanism doesn't work.
I played with the /usr/libexec/ApplicationFirewall/socketfilterfw tool but I've not made it do anything sensible. Any ideas, @MagnusS ?
I can also reproduce this on the latest beta with docker run -p 80:80 nginx. The port is open on the external interface locally, but it's not accessible remotely - even if the application layer firewall is set to allow signed applications to receive connections. I also tried to add Docker.app, vmnetd and com.docker.slirp manually, but that didn't work either. It may be possible to use pfctl to add a rule for the port manually as a temporary workaround.
I too would like to know if there are any updates on this issue.
It seems to mean that Docker for Mac cannot provide network access to container services running on privileged ports without completely disabling MacOS's Application Firewall or overriding with pfctl.
Workarounds of using ports >1024, creating specific rules using pfctl or introducing some other firewall solution don't seem appropriate.
Encountered the same issue and was unsuccessful with adding Docker binaries to the OSX Firewall exceptions nor using pfctl to allow external clients to access privileged ports on Docker containers.
Does someone have a workaround that does not involve disabling the OSX Firewall completely?
e.g. was someone successful adding working rules with pfctl?
Any updates on this issue? With my Mac (High Sierra) firewall turned on, I am able to access containers exposing port 8080 (such as Jenkins) from other machines but not containers exposing port 80 (such as Nginx).
It works.
After booting Mac. Set off the firewall and Set on the firewall using sockerfilterfw command. then well-known ports are OK. Is this MacOS problem ? :-(
$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off Password: Firewall is disabled. (State = 0) $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on Firewall is enabled. (State = 1)
It works.
After booting Mac. Set off the firewall and Set on the firewall using sockerfilterfw command. then well-known ports are OK. Is this MacOS problem ? :-(
$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off Password: Firewall is disabled. (State = 0) $ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on Firewall is enabled. (State = 1)
TY very much, @hemith! As weird as it seems to be, this workaround solved the problem! However, I just don't understand why it doesn't get reproduced if using any other "safe" ports (such as 8080 and 8443).
@hemith, @mstred, @yuhr and others using the socketfilterfw commands as a workaround:
Please make sure your Firewall is still enabled after you run those commands.
In my tests, the solution only worked because the Firewall was in fact still disabled, despite the misleading "Firewall is enabled" message.
The workaround that I've settled on is using pfctl as @MagnusS and @charlieanstey have mentioned, as it's using a MacOS built-in tool, does not require running any other services and does not interfere with the Application firewall.
For those that are interested: I've created a little port forwarding helper script, that should make usage a little easier. There's also a FAQ entry that explains the script's usage.