Registered · Cross-platform

2375 Docker API (plain)

TCP Yes
UDP Reserved
SCTP
DCCP

What it is

Unauthenticated Docker Engine REST API.

When / why

NEVER expose — equivalent to root on the host. Use 2376 (TLS) or a local socket.

Protocol status detail

TransportStatusMeaning
TCP Yes Assigned by IANA and standardized, specified, or widely used on this port.
UDP Reserved Reserved by IANA, generally to prevent collisions after a withdrawn assignment.
SCTP Not applicable for this transport.
DCCP Not applicable for this transport.

Port range

Registered (1024–49151). Assigned by IANA on request; usable without elevated privileges on most systems.

Browse all ports →

Firewall rules for port 2375

Copy-ready inbound rules for the active transports. Replace every <source> placeholder with the specific host, subnet, or CIDR that should reach this port.

⚠ High exposure risk — this service should never be reachable from untrusted networks. Scope the rule to a management subnet or VPN.

ufw

sudo ufw allow proto tcp from <source> to any port 2375

Allow TCP 2375 (Docker API (plain)). Replace <source> with the network/host that should reach it.

firewalld

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<source>" port port="2375" protocol="tcp" accept'

Allow TCP 2375 (Docker API (plain)) from <source>. Run 'firewall-cmd --reload' afterwards.

nftables

nft add rule inet filter input ip saddr <source> tcp dport 2375 accept

Allow TCP 2375 (Docker API (plain)). Assumes table 'inet filter' with an 'input' chain.

iptables

sudo iptables -A INPUT -p tcp -s <source> --dport 2375 -j ACCEPT

Allow TCP 2375 (Docker API (plain)). Persist with iptables-save/netfilter-persistent.

Azure NSG

az network nsg rule create -g <resource-group> --nsg-name <nsg> -n Allow-dockerapiplain-2375 --priority 1000 --access Allow --direction Inbound --protocol TCP --source-address-prefixes <source> --destination-port-ranges 2375

Inbound rule for 2375 (Docker API (plain)). Set <source> to a CIDR; lower priority number = higher precedence.

AWS Security Group

aws ec2 authorize-security-group-ingress --group-id <sg-id> --ip-permissions IpProtocol=tcp,FromPort=2375,ToPort=2375,IpRanges="[{CidrIp=<source-cidr>}]"

Inbound TCP 2375 (Docker API (plain)). Replace <source-cidr> (e.g. 10.0.0.0/16).

GCP firewall

gcloud compute firewall-rules create allow-dockerapiplain-2375 --direction=INGRESS --action=ALLOW --rules=tcp:2375 --source-ranges=<source-cidr> --network=<network>

Ingress rule for 2375 (Docker API (plain)). Scope with --source-ranges and optionally --target-tags.

Windows netsh

netsh advfirewall firewall add rule name="Allow Docker API (plain) 2375/TCP" dir=in action=allow protocol=TCP localport=2375 remoteip=<source>

Inbound TCP 2375 (Docker API (plain)). Set remoteip to a host/subnet; 'any' is discouraged.

Windows PowerShell

New-NetFirewallRule -DisplayName "Allow Docker API (plain) 2375/TCP" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 2375 -RemoteAddress <source>

Inbound TCP 2375 (Docker API (plain)). Replace <source> with a host or subnet.

Rules are generated only for transports marked active for this port. They default to an inbound allow with an explicit source placeholder — never any. Review direction, scope, and rule precedence before applying in production.