I know that for legacy reasons that is not likely since it would break a lot of things on up-date so at least having an option to enable the above that can be turned on now would be a good first step, and perhaps later after much warning make it the default behavior. The best security practice would be to by default limit the networking to work like above desired effect example, and then allow the user to add the appropriate firewall, etc rules to override such behavior, or have an option to revert to the current behavior. This can dramatically impact using Docker containers to deploy services and lead to potential security problems if people are not careful. I use UFW and only allow SSH onto this particular box, and would prefer to keep it that way. After finding log entries from sources trying to break in, I checked the firewall rules and found there was no limit on the source addresses or interfaces. I found this because of monitoring logs on a service I had thought was not open to the public. It might also be desirable for testing purposes to have Container C be a database used by Container B with the same kind of restrictions. It's desirable to open Container A to the public for use, but hide Container B entirely so that it can only talk to localhost (for testing by the user) and the docker network (for talking to Container A). Consider a site that has 2 containers: Container A exposes 443 running Nginx, and Container B runs an API on port 8000. issue happens only occasionally):īy default docker is munging the firewall in a way that breaks security - it allows all traffic from all network devices to access the exposed ports on containers.