Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firewall Rules for Process Isolated Containers Don't Work as Expected #561

Open
sikhness opened this issue Dec 24, 2024 · 1 comment
Open

Firewall Rules for Process Isolated Containers Don't Work as Expected #561

sikhness opened this issue Dec 24, 2024 · 1 comment
Assignees
@adrianm-msft
Labels
bug Something isn't working Networking Connectivity and network infrastructure

Comments

@sikhness
Copy link

Describe the bug
When building an image in docker with exposed ports, and you run a process isolated container from that image with that exposed port mapped to something else, defining a Windows Firewall rule does not work on the mapped port, instead you have to define it on the port you exposed in the image which is odd.

For example, if you define EXPOSE 9443 in a Dockerfile during the build of an image, and then run a container using this image and map the port to something else like -p 9081:9443, you would expect that your firewall rules would need to be defined on port 9081 since that is the one exposed to the host. However, you instead need to define it on 9443 for it to take effect.

This is an issue because if you use the same image or other images with the same internal ports, despite you mapping them to different individual host ports when running containers made from them, all containers using that image will have the firewall rule applied to it regardless of which port you have it mapped to.

To Reproduce

  1. Create a Dockerfile and expose a port using something like EXPOSE 9443
  2. Run a process isolated container with the internal port exposed to something else using something like -p 9081:9443
  3. Create a block all firewall rule on 9081 and you'll see that nothing happens, the service is still accessible as normal.
  4. Change the block all firewall rule to 9443 and you'll now see the service is no longer reachable on 9081

Expected behavior
The expected behaviour should be that creating a block all firewall rule on the mapped port (9081 in this example) would block the service on 9081, but instead it does nothing.

Configuration:

  • Edition: Windows Server 2025
  • Base Image being used: Windows Server Nano 2025
  • Container engine: Docker
  • Container Engine Version: 27.3.1
@sikhness sikhness added bug Something isn't working triage New and needs attention labels Dec 24, 2024
@github-actions GitHub Actions
Copy link

Thank you for creating an Issue. Please note that GitHub is not an official channel for Microsoft support requests. To create an official support request, please open a ticket here. Microsoft and the GitHub Community strive to provide a best effort in answering questions and supporting Issues on GitHub.

@ntrappe-msft ntrappe-msft removed the triage New and needs attention label Jan 21, 2025
@adrianm-msft adrianm-msft added the Networking Connectivity and network infrastructure label Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adrianm-msft adrianm-msft

Labels
bug Something isn't working Networking Connectivity and network infrastructure
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sikhness @ntrappe-msft @adrianm-msft