Docker docs:
Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
ufw just manages iptables rules, if docker overrides those it’s on them IMO
Feels weird that an application is allowed to override iptables though. I get that when it’s installed with root everything’s off the table, but still…
It is decidedly weird, and it’s something docker handles very poorly.
iptables is deprecated for like a decade now, the fact that both still use it might be the source of the problem here.