Background: I'm trying to have XDebug connect to my IDE from within a docker container (my php app is running inside a container on my development machine). On my Macbook, it has no issue doing this. However, on linux, I discovered that from within the container, the port I was using (9000) was not visibile on the host gateway (Using sudo nmap -sT -p- 172.20.0.1 where 172.20.0.1 is my host gateway in docker).

I was able to fix this issue by opening port 9000 on my development machine (sudo ufw allow 9000/tcp). Once I did this, the container could see port 9000 on the host gateway.

My Question: Is this completely necessary? I don't love the idea of opening up a firewall port just so a docker container, running on my machine, can connect to it. Is there a more secure alternative to this?

CodePudding user response：

From what you've told us, opening the port does sound necessary. If a firewall blocks a port, all traffic over that port is blocked and you won't be able to use the application on the container from the host machine.

What you can do to make this more secure is to specify a specific interface to open the port for as specified here:

ufw allow in on docker0 port 9000 proto tcp

Obviously replace docker0 with the docker interface on your machine. You can find this by looking at the output of ip address show or by following the steps here if the interface name is not obvious.