From 276aca1b7f32621d90ca68719d9158bad674e79c Mon Sep 17 00:00:00 2001 From: Rowan Stein Date: Wed, 26 Nov 2025 13:05:36 +0100 Subject: [PATCH] docs(portfwd): document disabling forwarding Signed-off-by: Rowan Stein Signed-off-by: Benkovichnikita Signed-off-by: Casey Quinn --- templates/default.yaml | 12 ++++++++---- website/content/en/docs/config/port.md | 16 +++++++++++++++- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/templates/default.yaml b/templates/default.yaml index 65b8f5bd210..299b5203e04 100644 --- a/templates/default.yaml +++ b/templates/default.yaml @@ -327,7 +327,7 @@ minimumLimaVersion: 2.0.0 # EXPERIMENTAL # Default settings can be imported from base templates. These will be merged in when the instance # is created, and the combined template is stored in the instance directory. -# This setting can be either a single string (URL), or a list of locators. +# This setting ca be either a single string (URL), or a list of locators. # A locator is again either a string (URL), or an object with "url" and "digest" properties, e.g. # base: [{url: ./base.yaml, digest: decafbad}, …] # The "digest" property is currently unused. @@ -489,9 +489,13 @@ networks: # # default: guestPortRange: [1, 65535] # # default: hostPortRange: [1, 65535] # -# - guestIP: 0.0.0.0 # otherwise defaults to 127.0.0.1 -# proto: any # tcp and udp -# ignore: true # don't forward these ports (guestPortRange, in this case 1-65535) +# To disable all dynamic TCP/UDP forwarding (while keeping SSH available via `limactl shell`), +# use a single ignore rule. +# portForwards: +# - guestIP: 0.0.0.0 +# guestIPMustBeZero: false # ensures 0.0.0.0 matches any guest interface +# proto: any +# ignore: true # # - guestPort: 7443 # guestIP: "0.0.0.0" # Will match *any* interface diff --git a/website/content/en/docs/config/port.md b/website/content/en/docs/config/port.md index cd4b9b53f6e..55e7c6929db 100644 --- a/website/content/en/docs/config/port.md +++ b/website/content/en/docs/config/port.md @@ -129,4 +129,18 @@ The benchmark result, especially the throughput of vzNAT, highly depends on the - Hardware: MacBook Pro 2024 (M4 Max, 128 GiB)

- \ No newline at end of file + + +## Disable all port forwarding + +To disable all dynamic TCP and UDP port forwarding, add a single ignore rule to your instance configuration. SSH access via `limactl shell` continues to work. + +```yaml +portForwards: +- guestIP: 0.0.0.0 + guestIPMustBeZero: false + proto: any + ignore: true +``` + +On Lima versions prior to 2.0, omit the `guestIPMustBeZero` field (the rule still works without it).