FRESH
Hacker News
Hacker News Hacker Newsexample:
$ OLLAMA_HOST=http://47.101.61.248:9000/ ollama run gemma3:27b "outline ww2"
Many appear to be proxies. I'm familiar with some "serverless" architectures that do things like this https://www.shodan.io/host/34.255.41.58 ... you can see this has a bunch of ollama ports running really really old versions
You can pull down "new" manifests but very few ollamas are new enough for decent modern models like glm-4.7-flash. The free tier for the kimi-k2.5:cloud is going to be far more useful then pasting these into you OLLAMA_HOST variable.
I think the real headline is: "thousands of slow machines running mediocre small models from last year. Totally open..."
Anyways, if codellama:13b is your jam, go wild I guess.
IPv4 requires an inbound NAT these days to work at all globally, unless you actually have a machine with a globally routable IP. There will probably be a default deny firewall rule too. I do remember the days before NAT ...
IPv6 doesn't require NAT (but prefix translation is available and so is ULA) but again a default deny is likely in force.
You do actually have to try quite hard to expose something to the internets. I know this because I do a lot of it.
The entire article is just a load of buzz words and basically bollocks. Yes it is possible to expose a system on the internet but it is unlikely that you do it by accident. If I was Sead, I'd go easy on the AI generated cobblers and get a real job.
I was rigging this up, myself, and conciscious of the fact that basic docker is "all or none" for container port forwarding because it's for presenting network services, had to dig around with iptables so it'd be similar to binding on localhost.
The use case https://github.com/meltyness/tax-pal
The ollama container is fairly easy to deploy, and supports GPU inference through container toolkit. I'd imagine many of these are docker containers.
e: i stand corrected, apparently -p of `docker run` can have a binding interface stipulated
e2: https://docs.docker.com/engine/containers/run/#exposed-ports which is not in some docs
e3: but it's in the man page ofc
When you do "tool calling" with an LLM, all you're doing is having the LLM generate output in a particular format you can parse out of the response; it's then your code's responsibility to run the tools (locally) and stick the results back into the conversation.
So that _specific_ part isn't RCE. It's still bad for the nine million other obvious reasons though.
But ONLY if you don't bind the listening port to any interface. So you try to create a listening port on localhost (e.g. 127.0.0.1:443) under a non-root account you get a permission error.
Edit: the thing is, you CAN expose "0.0.0.0:443" without root privileges!
I ironically found out about this website from Mr Robot tv show.
[1] https://www.glukhov.org/post/2025/09/ollama-enshittification...
To not even be able to disable data being exfiltrated with their automatic updates is terrible behavior.