From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=mixedbit.org
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=mixedbit.org header.i=@mixedbit.org header.a=rsa-sha256 header.s=mixedbit header.b=UlrEjXp3;
	dkim-atps=neutral
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435])
	by passt.top (Postfix) with ESMTPS id 1307D5A0276
	for <passt-user@passt.top>; Thu, 27 Nov 2025 13:49:06 +0100 (CET)
Received: by mail-wr1-x435.google.com with SMTP id ffacd0b85a97d-42bb288c1bfso492576f8f.2
        for <passt-user@passt.top>; Thu, 27 Nov 2025 04:49:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mixedbit.org; s=mixedbit; t=1764247745; x=1764852545; darn=passt.top;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=UGR93hdL+9e66QcjXd9IvA7qhP/V9gPlqIVPQx9tJ7c=;
        b=UlrEjXp3zVQ4MJtd1ZNcwxML/6wlz6SKbz2wKlC+iXlsWqWwk6Gl66lEsOHKMvSVki
         jfjtvTHtO1YvP/LBBdgP6VatinULc8dJc7+7kDjSdw0nRc7+0pCnHwNKCpeBJS0/UcFm
         YFhQQG4bkh/nhjT4L0VjSfgAC2tpuRJUXerKg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764247745; x=1764852545;
        h=to:subject:message-id:date:from:mime-version:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=UGR93hdL+9e66QcjXd9IvA7qhP/V9gPlqIVPQx9tJ7c=;
        b=V1Ascn+voYhFLRJLTd9DbukYp9pPAwN9L3NCCDiJOFXRSn44YgNLPO9Q5OuBdw4EK6
         erFfxl1OxsUewuKkU9R+gorUJougQbGBuLzk1VTAK3uPX1l93b2XvXeVPQF4Jd4ViNCB
         xzXV0+tgF71jg7R0/Lu4CxOu2ovAEnGgkROdubOgSw0ujey5mBCUOeC2DfKaDlQxlb4o
         czpMraoMJwH3BKBcxiuZJD31BsYY5jNsIqwV0gRbeMZRGocwUYVShorJbt70Us0In1A6
         6MWyhM0txQcBwqH2byFu8wNY6beAkPv70ZLrAfL/sIS7o0eop9vWK2b/7cFlR8i2ly4X
         hhMw==
X-Gm-Message-State: AOJu0YwgUODKmNf+apwamEQKeNFgpHTGwFW1yvaBak8WExCNtg15JvZw
	lUmJFzccD3SDuREk6pB3ZLH+RCc2CTYsutgk3hFBzS7y+yf78fr06v/kqjgfoCEBMLYh7aQXlwb
	7elxAUk60pJZIP3xVlqOnFwz7WYTeIzbgXstWEJ6DDAeTr09BmQwAAXg=
X-Gm-Gg: ASbGncu9zgqz1KvKCUl4E5VYVFYZ6INvxhXvA39AprHS5E/bLhaM5jfUFQyEho1lD6N
	VBdc1C3+2bg8VXfxmuM8Tj7Cj2R0gG0QMEHi4PUcE7HyDn0ToosjSoanAOpM5uSgRSFLyroRmYy
	YBkzqrWR5Rv2pVEJU/ggvNhphqwvvEv1I0WQlR6YyjnsyL3XCZi3b3rVSSLu0ovcL+wdH/7473B
	d5DcvFoa+HU/x6tSibJgpOC/yOtH0cmKuZ/MDEqGVlT3cnFBt5MI6dm1tuKP+PrIwDOi3U0D/sc
	8pohnco9XSNOz9RCmL9JyEiEh1vc
X-Google-Smtp-Source: AGHT+IEHcYCb+8TWw4MJ+p1h4aW6KMRJ0uXAUwOIJ0pUr2M5wt156/LrWl0uns5LNbSdqu0k3YfUGNx7jJkL5sWFWY8=
X-Received: by 2002:a5d:5d05:0:b0:3ec:ea73:a91e with SMTP id
 ffacd0b85a97d-42e0f1e35f4mr11220391f8f.12.1764247745107; Thu, 27 Nov 2025
 04:49:05 -0800 (PST)
MIME-Version: 1.0
From: Jan Wrobel <jan@mixedbit.org>
Date: Thu, 27 Nov 2025 13:48:54 +0100
X-Gm-Features: AWmQ_bky5mPlRWDGH8z4GPeTn2i5vzIaVJ2L4oSVmouAi-hmbKIBuF8U63vn2hQ
Message-ID: <CACm05o8+8FRr9KGVq+wF7BcnwRR9XXi5QyuDvArv9GiT=xXnrw@mail.gmail.com>
Subject: Auto forwarding ports, but only to localhost
To: passt-user@passt.top
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: 32QRVWL5KPX34UVVHE4OHWAFKFEYJG7B
X-Message-ID-Hash: 32QRVWL5KPX34UVVHE4OHWAFKFEYJG7B
X-MailFrom: jan@mixedbit.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: "For passt users: support, questions and answers" <passt-user.passt.top>
Archived-At: <https://archives.passt.top/passt-user/CACm05o8+8FRr9KGVq+wF7BcnwRR9XXi5QyuDvArv9GiT=xXnrw@mail.gmail.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-user@passt.top/message/32QRVWL5KPX34UVVHE4OHWAFKFEYJG7B/>
List-Archive: <https://archives.passt.top/passt-user/>
List-Archive: <https://passt.top/hyperkitty/list/passt-user@passt.top/>
List-Help: <mailto:passt-user-request@passt.top?subject=help>
List-Owner: <mailto:passt-user-owner@passt.top>
List-Post: <mailto:passt-user@passt.top>
List-Subscribe: <mailto:passt-user-join@passt.top>
List-Unsubscribe: <mailto:passt-user-leave@passt.top>

Hi,

For pasta, would you consider an option to enable automatic forwarding
of ports bound in a namespace, but make the forwarded ports available
only via localhost, not all addresses?

I'm working on a sandboxing program which uses pasta. The option -t
"auto" is super convenient, but requires extra care, without proper
firewall setup bound ports become automatically available to outside
world. For a sandboxing program like mine, it is not a safe default to
run with, because the program shouldn't assume the user will have a
firewall configured.

If something like "localhost/auto" was supported, it would match the
convenience of "auto", no manual port mapping config would be needed,
but would be safer for uses cases where exposing ports to outside
world is problematic.

Cheers,
Jan