Is your feature request related to a problem? Please describe.
In OrbStack, containers on separate user-defined Docker networks can reach each other, which isn't how Docker normally behaves. This was reported in #1944 and closed as intended back in May 2025, but things have changed since - that was before Sha1-Hulud and the npm/PyPI supply-chain worms that have hit since. So, I was hoping we could discuss it again with this new background:
- I agree that bridge isolation in dev isn't valuable as a hard security boundary. But there's still a security purpose to it, and that's limiting blast radius. When a compromised dependency runs in one of my containers, isolation stops it from reaching everything else I have running. Or perhaps more simply, we can no longer afford to be lax about security in dev envs, and every tool helps for defense in depth.
- Pretty much every other Docker engine isolates user-defined networks and in particular native Linux Docker does, so something working fine in OrbStack might quietly break elsewhere. This isn't just theoretical for us, half our team is on Linux. It would be great to have parity here.
Describe the solution you'd like
I'd like isolation for user-defined networks, the way native Linux Docker does it. Ideally on by default, or at least opt-in.
Describe alternatives you've considered
The only real alternative I can think of is reimplementing the isolation with iptables. It's doable, it's just a DROP rule in the DOCKER-USER chain. But installing those rules means running a privileged, host-network container with NET_ADMIN over the whole VM, that's a lot of privilege to grant for something intended to tighten security.
Additional context
Picking up a thread from #1944, I don't think isolation actually conflicts with orb.local. Correct me if I'm wrong, but wouldn't orb.local keep working for everything that can actually reach each other? The only connections that would break are the ones crossing boundaries that I set up on purpose, and that doesn't seem weird, think a DNS name that resolves to an IP behind a firewall.
Is your feature request related to a problem? Please describe.
In OrbStack, containers on separate user-defined Docker networks can reach each other, which isn't how Docker normally behaves. This was reported in #1944 and closed as intended back in May 2025, but things have changed since - that was before Sha1-Hulud and the npm/PyPI supply-chain worms that have hit since. So, I was hoping we could discuss it again with this new background:
Describe the solution you'd like
I'd like isolation for user-defined networks, the way native Linux Docker does it. Ideally on by default, or at least opt-in.
Describe alternatives you've considered
The only real alternative I can think of is reimplementing the isolation with iptables. It's doable, it's just a
DROPrule in theDOCKER-USERchain. But installing those rules means running a privileged, host-network container withNET_ADMINover the whole VM, that's a lot of privilege to grant for something intended to tighten security.Additional context
Picking up a thread from #1944, I don't think isolation actually conflicts with orb.local. Correct me if I'm wrong, but wouldn't orb.local keep working for everything that can actually reach each other? The only connections that would break are the ones crossing boundaries that I set up on purpose, and that doesn't seem weird, think a DNS name that resolves to an IP behind a firewall.