The system firewall has two active zones:

  • public – every network interface is added to it; limited TCP/UDP ports are allowed from the public zone.
  • trusted – cluster VPN network; any connection is allowed from the trusted zone.

As a general rule, any module which doesn’t require a well-known port, should request a random port using org.nethserver.tcp-ports-demand and org.nethserver.udp-ports-demand labels.

The following example creates a private network namespace and starts a TCP proxy to connect port 8080 inside the container from ${TCP_PORT} or ${UDP_PORT}:

/usr/bin/podman run ... --publish ${TCP_PORT}:8080 ...

Web applications are usually configured as backends for the local Traefik HTTP proxy. They can bind only the loopback IP address:

/usr/bin/podman run ... --publish${TCP_PORT}:8080 ...

The next example does not use any TCP proxy and is more performant. It requires to configure the listening service in the container to use directly TCP port ${TCP_PORT}. The container shares the network namespace with host machine:

/usr/bin/podman run ... --network=host ...

Modules using a well-known port, can bind any IP address for that port. For instance:

/usr/bin/podman run ... --publish 25:25

Such modules must be properly authorized to open the well-known port in the system firewall. See system firewall for details.