A port is not open on firewall but it's accessible

Question

I'm using centos 7 with firewallD on my server.

I have also installed docker on this machine and added it to a trusted zone of my firewall.

I have a container that listens on port 9081 but this port is not open on the firewall and the strange thing is that port is accessible from my home pc.

This is the output of firewall-cmd --list-all

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports: 443/tcp 80/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

I have two active zones : trusted and public

here is the output of command firewall-cmd --zone=trusted --list-all

trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: docker0
  sources:
  services:
  ports: 4243/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Clearly the port 9081 is not open in any zone, but still, I can access it. why? how to close it?

Answer 1

I realized that there are some errors running Docker with firewallD.

A Simple walkaround is to change how you define your ports in docker. in my case I had to change my docker-compose to this:

ports:
- "127.0.0.1:9081:8081"

The important part is using 127.0.0.1 in before defining host port.