Adapting Podman Container Environments for Nmap Tooling
Rinnemäki, Jouni (2025)
2025
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2025062723528
https://urn.fi/URN:NBN:fi:amk-2025062723528
Tiivistelmä
The suitability of running Nmap, a widely used network-security scanner, inside Podman containers was examined. The objective was to determine whether containerisation improves portability, security and operational manageability compared with native Nmap installations, particularly on Windows systems that normally require the installation of Npcap driver.
The work was carried out experimentally. Podman 3.4 on Ubuntu 22.04, default WSL2 installation, and Podman 5.5 on Fedora 42 were deployed; a separate podman-machine based on Fedora CoreOS 41 was configured to represent the Windows Desktop workflow. Nmap SYN, ICMP and ARP scans were executed against external, LAN and intra VM targets under varying capability sets. Testing showed that containerised Nmap retained full scanning functionality once CAP_NET_RAW was granted, while Windows itself loaded no kernel drives; the risk surface was therefore reduced.
GVproxy NAT and Netavark bridges provided two additional isolation layers: unsolicited inbound traffic was blocked unless ports were explicitly published, and rootless mode prevented ARP broadcasts from leaving the container namespace.
Portability goals were met; identical commands ran on Linux, Windows 11 + WSL2 and Windows CMD. Management overhead was limited to three CLI steps and removal left no residual files.
It is concluded that Podman delivers a reproducible, ephemeral and safer environment for teaching or auditing with Nmap. Limitations include higher latency through user-mode NAT and the need to elevate capabilities for raw-socket scans.
The work was carried out experimentally. Podman 3.4 on Ubuntu 22.04, default WSL2 installation, and Podman 5.5 on Fedora 42 were deployed; a separate podman-machine based on Fedora CoreOS 41 was configured to represent the Windows Desktop workflow. Nmap SYN, ICMP and ARP scans were executed against external, LAN and intra VM targets under varying capability sets. Testing showed that containerised Nmap retained full scanning functionality once CAP_NET_RAW was granted, while Windows itself loaded no kernel drives; the risk surface was therefore reduced.
GVproxy NAT and Netavark bridges provided two additional isolation layers: unsolicited inbound traffic was blocked unless ports were explicitly published, and rootless mode prevented ARP broadcasts from leaving the container namespace.
Portability goals were met; identical commands ran on Linux, Windows 11 + WSL2 and Windows CMD. Management overhead was limited to three CLI steps and removal left no residual files.
It is concluded that Podman delivers a reproducible, ephemeral and safer environment for teaching or auditing with Nmap. Limitations include higher latency through user-mode NAT and the need to elevate capabilities for raw-socket scans.