With OSX firewall on, slirp is not allowing external connections to privileged ports about vpnkit HOT 10 OPEN

It works.

After booting Mac.
Set off the firewall and
Set on the firewall using sockerfilterfw command.
then well-known ports are OK.
Is this MacOS problem ? :-(

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
Password:
Firewall is disabled. (State = 0)
$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
Firewall is enabled. (State = 1)

from vpnkit.

I can also reproduce this on the latest beta with docker run -p 80:80 nginx. The port is open on the external interface locally, but it's not accessible remotely - even if the application layer firewall is set to allow signed applications to receive connections. I also tried to add Docker.app, vmnetd and com.docker.slirp manually, but that didn't work either. It may be possible to use pfctl to add a rule for the port manually as a temporary workaround.

from vpnkit.

Hi, any updates to this issue?

from vpnkit.

Still getting this 😭

from vpnkit.

I can reproduce this.

If I open a privileged port with sudo nc -l 80 then a dialog pops up asking me to allow or deny incoming connections for the process. Since we're binding ports in the privileged helper process which won't have access to the screen/user session perhaps this mechanism doesn't work.

I played with the /usr/libexec/ApplicationFirewall/socketfilterfw tool but I've not made it do anything sensible. Any ideas, @MagnusS ?

from vpnkit.

I too would like to know if there are any updates on this issue.

It seems to mean that Docker for Mac cannot provide network access to container services running on privileged ports without completely disabling MacOS's Application Firewall or overriding with pfctl.

Workarounds of using ports >1024, creating specific rules using pfctl or introducing some other firewall solution don't seem appropriate.

from vpnkit.

Encountered the same issue and was unsuccessful with adding Docker binaries to the OSX Firewall exceptions nor using pfctl to allow external clients to access privileged ports on Docker containers.

Does someone have a workaround that does not involve disabling the OSX Firewall completely?
e.g. was someone successful adding working rules with pfctl?

from vpnkit.

Any updates on this issue? With my Mac (High Sierra) firewall turned on, I am able to access containers exposing port 8080 (such as Jenkins) from other machines but not containers exposing port 80 (such as Nginx).

from vpnkit.

It works.

After booting Mac.
Set off the firewall and
Set on the firewall using sockerfilterfw command.
then well-known ports are OK.
Is this MacOS problem ? :-(

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
Password:
Firewall is disabled. (State = 0)
$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
Firewall is enabled. (State = 1)

TY very much, @hemith! As weird as it seems to be, this workaround solved the problem!
However, I just don't understand why it doesn't get reproduced if using any other "safe" ports (such as 8080 and 8443).

from vpnkit.

@hemith, @mstred, @yuhr and others using the socketfilterfw commands as a workaround:
Please make sure your Firewall is still enabled after you run those commands.
In my tests, the solution only worked because the Firewall was in fact still disabled, despite the misleading "Firewall is enabled" message.

The workaround that I've settled on is using pfctl as @MagnusS and @charlieanstey have mentioned, as it's using a MacOS built-in tool, does not require running any other services and does not interfere with the Application firewall.

For those that are interested:
I've created a little port forwarding helper script, that should make usage a little easier. There's also a FAQ entry that explains the script's usage.

from vpnkit.