A few things, in no particular order:

• Docker interferes with user-defined firewall rules on the host. You need to expend a lot of effort to make your rules persist above docker. This functionally means that, if you are running a public-facing VPS/dedicated server and bind services to 0.0.0.0, even if you set up a firewall on the same machine, it won’t work and your services will be publicly accessible
• If you have access to a second firewall device  —  whether it is your router at home, or your hosting provider’s firewall (Hetzner, OVH both like to provide firewall controls external to your server)  — this is not the biggest concern.
• There is no reason to bind your containers to 0.0.0.0. You will usually access most of your containers from a certain IP address, so just bind them to that IP address. My preference is to bind to any address in the 127.0.0.0/8 subnet (yes, that entire subnet is loopback) and then use a reverse proxy. Alternatively, look into the ‘macvlan’ and ‘ipvlan’ docker network drivers.

Good luck

You’re not exposing anything unless your router/firewall explicitly allows it.

0.0.0.0 just means “all addresses on this host”. So binding to 0.0.0.0:80 means “listen on every IP address, TCP port 80”

So say you have a Linux box, and it has 4 network interfaces: 127.0.0.1 (localhost), 192.168.1.101 (main local network), 192.168.1.201 (second local network), and 172.16.10.1 (docker network).

If you run a service on the Linux box, and specify that it listens on 0.0.0.0:80, that service will bind to all of those addresses, and be accessible via 127.0.0.1:80, both 192 addresses, and the docker network address.

Now, if you run that same configuration in a docker container without the “-p host:container”, it will bind to the address given it in the docker network and only that address.

If you run that same container with the -p host:container, it will bind to and listen on all network addresses.

I hope that’s understandable, I’m kinda out of it today so I hope I’m not too incoherent!