docs(portfwd): document disabling forwarding

Signed-off-by: Casey Quinn <casey.quinn@agyn.io>

Author: casey-quinn

templates/default.yaml

@@ -489,9 +489,13 @@ networks:
 # # default: guestPortRange: [1, 65535]
 # # default: hostPortRange: [1, 65535]
 #
-# - guestIP: 0.0.0.0 # otherwise defaults to 127.0.0.1
-#   proto: any       # tcp and udp
-#   ignore: true     # don't forward these ports (guestPortRange, in this case 1-65535)
+# To disable all dynamic TCP/UDP forwarding (while keeping SSH available via `limactl shell`),
+# use a single ignore rule.
+# portForwards:
+# - guestIP: 0.0.0.0
+#   guestIPMustBeZero: false  # ensures 0.0.0.0 matches any guest interface
+#   proto: any
+#   ignore: true
 #
 # - guestPort: 7443
 #   guestIP: "0.0.0.0"        # Will match *any* interface

website/content/en/docs/config/port.md

@@ -129,4 +129,18 @@ The benchmark result, especially the throughput of vzNAT, highly depends on the
 - Hardware: MacBook Pro 2024 (M4 Max, 128 GiB)
 
 </p>
-</details>
+</details>
+
+## Disable all port forwarding
+
+To disable all dynamic TCP and UDP port forwarding from host localhost to the guest, add a single ignore rule to your instance configuration. This prevents any localhost ports from being forwarded (including IPv4 and IPv6), while SSH access via `limactl shell` continues to work.
+
+```yaml
+portForwards:
+- guestIP: 0.0.0.0
+  guestIPMustBeZero: false
+  proto: any
+  ignore: true
+```
+
+Once applied, Lima will skip creating dynamic listeners for guest services and only the SSH control channel remains active. On Lima versions prior to 2.0, omit the `guestIPMustBeZero` field (the rule still works without it).