Firewall Rules for Process Isolated Containers Don't Work as Expected

[sikhness]

Describe the bug
When building an image in docker with exposed ports, and you run a process isolated container from that image with that exposed port mapped to something else, defining a Windows Firewall rule does not work on the mapped port, instead you have to define it on the port you exposed in the image which is odd.

For example, if you define EXPOSE 9443 in a Dockerfile during the build of an image, and then run a container using this image and map the port to something else like -p 9081:9443, you would expect that your firewall rules would need to be defined on port 9081 since that is the one exposed to the host. However, you instead need to define it on 9443 for it to take effect.

This is an issue because if you use the same image or other images with the same internal ports, despite you mapping them to different individual host ports when running containers made from them, all containers using that image will have the firewall rule applied to it regardless of which port you have it mapped to.

To Reproduce

1. Create a Dockerfile and expose a port using something like EXPOSE 9443
2. Run a process isolated container with the internal port exposed to something else using something like -p 9081:9443
3. Create a block all firewall rule on 9081 and you'll see that nothing happens, the service is still accessible as normal.
4. Change the block all firewall rule to 9443 and you'll now see the service is no longer reachable on 9081

Expected behavior
The expected behaviour should be that creating a block all firewall rule on the mapped port (9081 in this example) would block the service on 9081, but instead it does nothing.

Configuration:

• Edition: Windows Server 2025
• Base Image being used: Windows Server Nano 2025
• Container engine: Docker
• Container Engine Version: 27.3.1

[github-actions]

Thank you for creating an Issue. Please note that GitHub is not an official channel for Microsoft support requests. To create an official support request, please open a ticket here. Microsoft and the GitHub Community strive to provide a best effort in answering questions and supporting Issues on GitHub.

[adrianm-msft]

Hi @sikhness, when running containers on an l2bridge network, external traffic to the container first reaches the vSwitch. Here, VFP rewrites the port from the host to the container port. The packet is then forwarded to the container's vNIC, where the firewall rule is processed. Therefore, you need to specify the container port rather than the host port when setting firewall rules. More info on l2bridge container networking here.

[sikhness]

Hi @adrianm-msft,
Thanks for providing the clarification on this.

How would you go about solving the issue where you want to control the firewall rules for multiple containers running that share the same port within their respective containers but are mapped to different host ports? Is that not possible without having to change the container port itself and then perform firewall rules on that?

I'm using NAT networking (the default), is that also the same as l2bridge in terms of firewall rules?

[adrianm-msft]

You can try setting ACLs on the container's vNIC. For example, to block inbound traffic to port 80 on a container with IP address "172.30.81.218", from the container host using the HNS module in PowerShell:

$endpoint = Get-HnsEndpoint | Where-Object { $_.IpAddress -eq "172.30.81.218" }

$acl_json = '{
    "Policies": [
        {
            "Type": "ACL",
            "Action": "Block",
            "Direction": "In",
            "LocalAddresses": "",
            "RemoteAddresses": "172.30.81.218",
            "LocalPorts": "80",
            "Protocol": 6,
            "Priority": 200
        }
    ]
}' 

Invoke-HNSRequest -Method POST -Type endpoints -Id $endpoint.ID -Data $acl_json

This should allow you to specify ACL rules for multiple containers that may expose the same port.