[skibbityboop]

> yes, it adds a forwarding rule. Which skips over the rest of my firewall rules.

... which you explicitly asked it to do by using the -p option.

[yjftsjthsd-h]

Not explicitly, no. The flag is `--publish`, not `--publish-regardless-of-firewall-rules`. It looks for all the world like the usual server --listen or --port options unless you happen to know about this little "feature".

[Dylan16807]

-p explicitly asks for forwarding, it doesn't ask for it to be applied before firewall rules.

[masom]

The issue is UFW ignoring other firewall rules, Docker just adds itself to iptables, but UFW actively ignores other chains. The bug is on UFW being insecure by design.