Can UFW firewall block ports exposed by Docker containers? (Ubuntu 20.04 server)

Question

Summary

As a test I have a Docker a container exposing a port as 0.0.0.0:8101:80. My UFW is set up for the default to deny. I did not expect to be able to reach it from another device.

As a practice I expose docker ports as 127.0.0.1:port:port for services behind a proxy, but I would like the firewall to block the port as well.

System

OS: Ubuntu 20.04
UFW 0.36
Proxy: Nginx 1.22.1
Docker 23.0.6
Docker Compose: 2.17.3

Test Setup

UFW Rules:

$ Status: active
Logging: on (high)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW IN    Anywhere
Nginx Full                 ALLOW IN    Anywhere
8103/tcp                   ALLOW IN    Anywhere
8104/tcp                   ALLOW IN    Anywhere
8107/tcp                   DENY IN     Anywhere
8108/tcp                   DENY IN     Anywhere
OpenSSH (v6)               ALLOW IN    Anywhere (v6)
Nginx Full (v6)            ALLOW IN    Anywhere (v6)         
8103/tcp (v6)              ALLOW IN    Anywhere (v6)
8104/tcp (v6)              ALLOW IN    Anywhere (v6)
8107/tcp (v6)              DENY IN     Anywhere (v6)
8108/tcp (v6)              DENY IN     Anywhere (v6)

Docker Container listening on 8101:
- service1: 0.0.0.0:8101->80/tcp (default using 8101:80 in compose)
Docker Container listening on 8102 locally:
- service2: 127.0.0.1:8102->80/tcp
Listening on 8103, 8105 & 8107:
- With nc -l [port]

Client from another computer

Port	Firewall	Listening	`nc -vz DOMAIN PORT`
8101	default	docker any	`[domain] [IP] 8101 (ldoms-migr) open`
8102	default	docker local	`[domain] [IP] 8102 (kz-migr): Connection timed out`
8103	allow	`nc -l [port]`	`[domain] [IP] 8103 open`
8104	allow	none	`[domain] [IP] 8104: Connection refused`
8105	default	`nc -l [port]`	`[domain] [IP] 8105: Connection timed out`
8106	default	none	`[domain] [IP] 8106: Connection timed out`
8107	deny	`nc -l [port]`	`[domain] [IP] 8107: Connection timed out`
8108	deny	none	`[domain] [IP] 8108: Connection timed out`

What I think the responses mean

Open: Through firewall and the port is listening from my client (8101, 8103)
Connection timed out: Firewall blocked it (8102, 8105, 8106, 8107, 8108)
Connection refused: Through firewall and the port is NOT listening (8104)

My Question

Can I make UFW block ports in case someone change a docker compose file and does not add 127.0.0.1?

There is post that might fix my issue. https://stackoverflow.com/questions/30383845/what-is-the-best-practice-of-docker-ufw-under-ubuntu I haven't read the whole thing yet, but I want to comment before my question might waste anyone's time. — tobule, May 12 '23 at 19:56
Here are some posts and articles that will probably fix it. - A readable article with the fix. https://stackoverflow.com/questions/30383845/what-is-the-best-practice-of-docker-ufw-under-ubuntu - The original post that the article probably used. https://stackoverflow.com/questions/30383845/what-is-the-best-practice-of-docker-ufw-under-ubuntu - A script that both reference as part of the solution https://github.com/chaifeng/ufw-docker — tobule, May 12 '23 at 21:12