If you expose a port in a docker container, it is open on the host.

If the port is eg 80 for a Webserver that’s fine.

If it’s a control port port then that’s asking for trouble.

Many container projects used to open all ports the application uses, for convenience of newbies, so they can just say “docker run container” without any options.

The usual purpose for containers is to be deployed via compose, swarm or Kubernetes, which can open all the ports.

As I mentioned docker can overwrite firewall rules.

I had cases of finding a port open to the internet even though my compose had port specifications that didn’t include it and the port was blocked in ufw.

So the best practice is to never use expose in a Dockerfile, use the deployment to handle the port openings and in general keep as much of the ports closed.

Docker has internal Networking between containers and reverse Proxies are also usually a better option for routing traffic from the web to your container.