[Root_Denied]

My understanding is that docker will expose the ports to the host machine's network interfaces, which is a crucial difference. For my home server running docker that means exposed to the LAN, but not the WAN unless I add in a port forwarding rule on my router. Similarly in an enterprise environment you would be exposing the port on whatever VLAN the host is connected to, which hopefully doesn't have directly transit to the open internet.

Anything you're running on the perimeter with open access to the internet in an enterprise environment probably (hopefully) isn't running docker containers without some additional config and protections.

[itintheory]

I was thinking along similar lines to what you've suggested here, but then I considered how many VPS might be configured by folks following some random web tutorial, to set up their LAMP stack (or whatever), that end up doing something like what was described.

[Root_Denied]

A lot of those VPS instructions these days recommend a reverse proxy like Caddy or Traefik for that exact reason. I think it's also a valid argument to say that anyone playing around on a VPS without knowing what they're doing is probably going to learn some hard lessons, and that's kind of the point.

[Kaliboy]

But there it's a feature.

[smarnach]

Except for the M in LAMP.

[Kaliboy]

Let's hope the M at least has a root password.

But you are right, that would be nasty. In my time the LAMP tutorials used the distribution packages so they always had sensible defaults.

[eximius]

If you ever suddenly get IPv6, it may become globally reputable without you realizing.

[globular-toast]

It's not a routing issue, it's a firewall issue. Make sure you have a proper firewall on your network and don't rely on fake firewalls like ufw if you're concerned about this.

[Root_Denied]

Again, if your router or perimeter devices are appropriately managing your network then it's a non-issue. By default most home routers have IPv6 disabled, and if you're setting up an enterprise environment with a VLAN you're probably subnetting IPv4 instead of using IPv6 at all.

All that means that if you're using IPv6 then you're proactively enabling it on whatever is handling your perimeter, which means you hopefully know what you're doing along with all the gotchas that come with that setup.

[PokestarFan]

Most modern equipment bans inbound traffic that doesn't match an existing outbound traffic flow