[newbie] Dynamic ports are exposed on the host


I have rancher install on a single host with a number of services which all define internal port bindings. I also have a single loadbalancer which forwards 80/443 to the relevant services. This works wonderfully.

However, I was somewhat horrified to discover that every ‘internal’ port is mapped to a dynamic port on the host (obviously) but that is also accessible to the outside world.

Specifically, if my internal container has an IP of and a dynamic port of 63321 then visiting host:63321 bypasses the loadbalancer and takes you through to port 80.

Is this expected? I assumed that Rancher would update iptables to prevent accessing these?

What have I missed?


Ah, I think I found it.

I mistakenly assumed I had to add a port mapping for each exposed port, but leave the ‘public’ port blank.

If I remove the mapping completely then the loadbalancer still works but there are no dynamic ports bound to