So this is kind of a generic question, but I'm seeking advice for best way to secure a VPS (recently picked up a pretty beefy VPS for cheap on cyber monday).  

So the issue I am running into is that when you install docker and deploy an image with the `-p` option, it's creating a related rule in nftables (running Debian 11).  My original plan was to throw down ufw, forward only 80/443 and reverse proxy things I wanted publicly exposed (very little), and everything else would only accessible via wireguard.  

I setup wireguard, got that working and everything then deployed a syncthing docker (to backup certain files from an on-prem box).  I didn't create a rule in ufw for the UI, yet I was able to browse to it and that's when I starting researching and learned that `-p` option was creating those nft rules.  This is not what I want; I want the syncthing UI to only be available to my clients connected to this VPS with wireguard, but I'm not sure how to achieve this.  

Any suggestions?  How are you running dockers on a VPS without exposing it all on the internet?