Docker Silently Bypasses UFW Firewall, Exposing Databases to the Internet

Docker's default port publishing behavior silently circumvents UFW firewall rules on Linux, exposing database ports directly to the internet. The issue is well-documented but continues to catch system administrators and self-hosters off guard, creating persistent attack surfaces on production servers.

When Docker publishes a port using the standard syntax `ports: - "5432:5432"`, it modifies iptables routing rules at a low level, bypassing UFW's higher-level firewall configuration. The result: databases and services that administrators believe are firewalled remain openly accessible from any IP address. The correct mitigation requires explicitly binding ports to localhost using `ports: - "127.0.0.1:5432:5432"`, which restricts access to the local machine only. Without this explicit binding, Docker's default behavior creates a dangerous gap between perceived and actual security posture.

The implications are significant for anyone running self-hosted applications on VPS infrastructure. Database exposure remains one of the most common vectors for data breaches and ransomware attacks. The recurring nature of this misconfiguration, documented across multiple forums and incident reports, suggests the problem is systemic rather than isolated. Administrators who rely on UFW status indicators without independently verifying port exposure may operate under false assumptions about their security boundaries. Routine port scanning and external security audits remain essential for validating firewall effectiveness in Dockerized environments.