In the docker-compose.yml file it has:
# expose port to localhost too
- "8000:8000"
I never used ufw-docker but normal behavior with Docker here would publish 8000 to the outside world allowing someone to bypass your proxy and directly visit http://example.com:8000. Does ufw-docker not do that? The comment hints that they probably want to use "127.0.0.1:8000:8000" instead of "8000:8000" to be explicit, or at the very least should call out that ufw-docker is doing something special to block it because by default using 8000:8000 is quite dangerous to use with Docker and iptables.I'm also curious about this quote:
> Docker does not play well with iptables, so I use ufw-docker to set up the firewall.
I never had any issues using iptables with Docker. What doesn't play nicely?
There's no problem if you use only basic iptables rules but ufw use iptables in a very complicated way. If you want ufw and docker to play well together, you have to disable docker's iptables manipulations or use ufw-docker as the author. More about that at ufw-docker documentation https://github.com/chaifeng/ufw-docker