Re: Auto forwarding ports, but only to localhost

[David Gibson <david@gibson.dropbear.id.au>]

[-- Attachment #1: Type: text/plain, Size: 2819 bytes --]

On Fri, Nov 28, 2025 at 12:03:06PM +0100, Jan Wrobel wrote:
> On Fri, Nov 28, 2025 at 2:10 AM David Gibson
> <david@gibson.dropbear.id.au> wrote:
> >
> > On Thu, Nov 27, 2025 at 01:48:54PM +0100, Jan Wrobel wrote:
> > > Hi,
> > >
> > > For pasta, would you consider an option to enable automatic forwarding
> > > of ports bound in a namespace, but make the forwarded ports available
> > > only via localhost, not all addresses?
> > >
> > > I'm working on a sandboxing program which uses pasta. The option -t
> > > "auto" is super convenient, but requires extra care, without proper
> > > firewall setup bound ports become automatically available to outside
> > > world. For a sandboxing program like mine, it is not a safe default to
> > > run with, because the program shouldn't assume the user will have a
> > > firewall configured.
> > >
> > > If something like "localhost/auto" was supported, it would match the
> > > convenience of "auto", no manual port mapping config would be needed,
> > > but would be safer for uses cases where exposing ports to outside
> > > world is problematic.
> >
> > Short answer: yes, but it might be a while.
> >
> > Long answer:
> >
> > We want to make our forwarding / NAT configuration more flexible in
> > ways that would allow a bunch of things, including this.  There are a
> > lot of different features people have requested, each individually
> > simple, but together adding up to quite a lot of work.  I'm actively
> > working on making our internal data structures more flexible to allow
> > more general configuration.  However, it's fairly slow going, between
> > other firefighting and unravelling some technical debt.
> >
> > If you want to make sure your specific use case isn't forgotten, the
> > best way would be to file a ticket for it on passt.top - it will
> > probably be blocked on https://bugs.passt.top/show_bug.cgi?id=140 but
> > that will keep a record to look back at later.
> 
> Thanks, for considering adding this feature!
> 
> I'll add the ticket, but currently there is some problem with the
> passt ticket system. I've seen it working at some point but today and
> yesterday https://passt.top/passt/bugs is just an empty page, and
> https://bugs.passt.top/index.cgi gives 403 error

Oh, weird.  https://bugs.passt.top is the address to use, but I
haven't noticed it being down in the last couple of days.  It seems to
me working for me right now.

Note that signing up for an account is likely to be somewhat slow -
Stefano has to manually intervene for each sign up, to avoid
inundation by bots.

-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]