From 42ad59204d09b73d825d34495bcb8c5e1be9e38e Mon Sep 17 00:00:00 2001
From: scetu <scetu@users.noreply.github.com>
Date: Thu, 10 Apr 2025 18:18:10 +0200
Subject: [PATCH 1/2] add section about Docker's generated NAT rules  bypassing
 host firewall

---
 .../docs/02-Getting Started/02-dns-networking.md     | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/packages/docusaurus/docs/02-Getting Started/02-dns-networking.md b/packages/docusaurus/docs/02-Getting Started/02-dns-networking.md
index 081377f..225c1d8 100644
--- a/packages/docusaurus/docs/02-Getting Started/02-dns-networking.md	
+++ b/packages/docusaurus/docs/02-Getting Started/02-dns-networking.md	
@@ -38,7 +38,15 @@ If you intend to use the root of your domain, then you will need an additional A
 
 ## Ports to Expose
 
-When you setup your VPS you want to make sure that you expose the following ports **on the VPS itself**.
+:::warning
+
+**Docker Port Exposure Caveat:**  
+Docker automatically creates iptables NAT rules when container ports are published (using `-p` or docker-compose). These rules can bypass host firewall settings (such as UFW or firewalld), causing ports to be accessible from external networks even if they aren’t explicitly allowed by your firewall. Always verify your exposed ports (e.g., with [nmap](https://nmap.org/) or [RustScan](https://github.com/bee-san/RustScan)) and ensure you only expose the ports that are absolutely necessary. For more details, see [Docker’s port publishing documentation](https://docs.docker.com/engine/network/packet-filtering-firewalls/#port-publishing-and-mapping).
+
+:::
+
+
+Following ports should be exposed on Operating system level.
 
 ### TCP 80
 
@@ -60,7 +68,7 @@ This is the default WireGuard port and is used for Newt and WireGuard clients to
 
 :::warning
 
-Its important to **ONLY** expose the ports you need. Effectively by tunneling out to the VPS you are including the VPS in your security boundary and should consider it part of your network and secure it as such.
+Its important to **ONLY** expose and verify exposed the ports you need. Effectively by tunneling out to the VPS you are including the VPS in your security boundary and should consider it part of your network and secure it as such.
 
 :::
 

From 16fd273a4573d8860f0212590688b2bc152701c3 Mon Sep 17 00:00:00 2001
From: scetu <scetu@users.noreply.github.com>
Date: Thu, 10 Apr 2025 18:37:12 +0200
Subject: [PATCH 2/2] add warning also into quick-install page

---
 packages/docusaurus/docs/02-Getting Started/03-quick-install.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/docusaurus/docs/02-Getting Started/03-quick-install.md b/packages/docusaurus/docs/02-Getting Started/03-quick-install.md
index d1dbba8..219a1b4 100644
--- a/packages/docusaurus/docs/02-Getting Started/03-quick-install.md	
+++ b/packages/docusaurus/docs/02-Getting Started/03-quick-install.md	
@@ -9,6 +9,7 @@ import WgetQuickInstaller from "@site/src/components/WgetQuickInstaller";
     -   We recommend Ubuntu or Debian based systems
 -   [A domain name pointed to your server's IP address](./02-dns-networking.md)
 -   [TCP ports 80, 443, and UDP port 51820 exposed to your Linux instance.](./02-dns-networking.md)
+    -   **Note:** Docker’s NAT-based port publishing feature automatically exposes all ports defined in `docker-compose` file. This behavior can bypass your host firewall settings, potentially exposing services that you did not intend to make public. It is important to review and manage these port configurations to minimize security risks.
 -   An email address for Let's Encrypt certificate registration
 -   (Optionally) a SMTP server