docs(portfwd): document disabling forwarding

rowan-stein · rowan-stein · commit 276aca1b7f32 · 2025-11-26T13:05:36.000+01:00
Signed-off-by: Rowan Stein &lt;rowan.stein@agyn.io&gt;
Signed-off-by: Benkovichnikita &lt;benkovich@agyn.io&gt;
Signed-off-by: Casey Quinn &lt;casey.quinn@agyn.io&gt;
diff --git a/templates/default.yaml b/templates/default.yaml
@@ -327,7 +327,7 @@ minimumLimaVersion: 2.0.0
 # EXPERIMENTAL
 # Default settings can be imported from base templates. These will be merged in when the instance
 # is created, and the combined template is stored in the instance directory.
-# This setting can be either a single string (URL), or a list of locators.
+# This setting ca be either a single string (URL), or a list of locators.
 # A locator is again either a string (URL), or an object with "url" and "digest" properties, e.g.
 # base: [{url: ./base.yaml, digest: decafbad}, …]
 # The "digest" property is currently unused.
@@ -489,9 +489,13 @@ networks:
 # # default: guestPortRange: [1, 65535]
 # # default: hostPortRange: [1, 65535]
 #
-# - guestIP: 0.0.0.0 # otherwise defaults to 127.0.0.1
-#   proto: any       # tcp and udp
-#   ignore: true     # don't forward these ports (guestPortRange, in this case 1-65535)
+# To disable all dynamic TCP/UDP forwarding (while keeping SSH available via `limactl shell`),
+# use a single ignore rule.
+# portForwards:
+# - guestIP: 0.0.0.0
+#   guestIPMustBeZero: false  # ensures 0.0.0.0 matches any guest interface
+#   proto: any
+#   ignore: true
 #
 # - guestPort: 7443
 #   guestIP: "0.0.0.0"        # Will match *any* interface
diff --git a/website/content/en/docs/config/port.md b/website/content/en/docs/config/port.md
@@ -129,4 +129,18 @@ The benchmark result, especially the throughput of vzNAT, highly depends on the
 - Hardware: MacBook Pro 2024 (M4 Max, 128 GiB)
 
 </p>
-</details>
+</details>
+
+## Disable all port forwarding
+
+To disable all dynamic TCP and UDP port forwarding, add a single ignore rule to your instance configuration. SSH access via `limactl shell` continues to work.
+
+```yaml
+portForwards:
+- guestIP: 0.0.0.0
+  guestIPMustBeZero: false
+  proto: any
+  ignore: true
+```
+
+On Lima versions prior to 2.0, omit the `guestIPMustBeZero` field (the rule still works without it).
