I was shocked to learn that dockerd
will create holes in your
firewall to route traffic from the outside to your containers.
# netstat -nlp --tcp
..
Chain DOCKER (2 references)target prot opt source destinationACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:8010