UFW does not block outside access on EE4. Can we get a change in the next EE release that isolates the containers so they are not accessible outside the VM?
The goal is to have every site use CloudFlare as a proxy, then block all external 80/443 traffic except for CloudFlare.