In hindsight, making the default listening address for port forwards in docker(-compose) 0.0.0.0 instead of 127.0.0.1 was/is such a pain point for me. Every time I work with it for servers as almost always it should not be directly exposed (usually services are behind a host-side NGINX rev proxy).

It also likely has yielded far too many (unintentionally) open services, especially considering dockers known firewall woes with bypassing of existing rules.

I agree that it's a bad default. So is their iptables meddling when nftables exists.

However, can't you just use e.g. `-p 127.0.0.1:8000:80` since you're aware of the issue? Pretty sure both the CLI and compose support this.

What I do is to only use rootless docker/podman and then forward the ports with nftables rules.

Yes, that is also what I apply to compose manifests.

The problem is rather that it is always a deviation from defaults and ime can be easily forgotten/ overlooked.

It also was at the beginning a bit surprising (listening on 0.0.0.0 and inserting an iptables rule that bypassed my ufw ruleset). Many services listen on on 0.0.0.0 by default but they rarely do it while bypassing the normal host firewall mechanisms.

You can but the __default__ should be the safer option.

It's not only docker. ssh forward port forwarding also by default binds to 0.0.0.0, if `<local>` is missing.

``` ssh -L [<local>:]8000:remote:8000 hopping ```

ssh doesn't mess with your firewall though

That sounds like a bigger problem...

To make these numbers meaningful, we would need to compare them to a similar software installations in Internet, like SQL databases.