I exposed a Postgres container to the public internet. Again. Same mistake, third time in maybe two years. The firewall was on, ufw status looked clean, and I still woke up to a flood of login attempts from IPs I'd never heard of. If you've ever run ufw deny 5432 and assumed your database was safe behind a Docker container, this post is for you. I'm writing it mostly so future-me stops repeating the same mistake. The setup that bit me Here's the classic scenario. You've got a VPS. You install UFW because that's what every tutorial tells you to do: sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow 22/tcp sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw enable Enter fullscreen mode Exit fullscreen mode Then you spin up a database container with a published port for "local development access": docker run -d \ --name pg \ -p 5432:5432 \ -e POSTGRES_PASSWORD = changeme \ postgres:16 Enter fullscreen mode Exit fullscreen mode You check ufw status . Port 5432 isn't allowed.…