Firewall rules, apache proxy and docker

Hello all,
I have setup Bitwarden_rs and it is working well.
I’ve setup a systemd service on my Ubuntu 20.04 host woth the option:

-p 9011:80 -p 3012:3012 

In Apache conf file I have configured bitwarden as subdomain like:

ServerName SSLEngine On Include /etc/letsencrypt/options-ssl-apache.conf ErrorLog /data/bitwarden-error.log CustomLog /data/bitwarden-access.log combined RewriteEngine On RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteRule /notifications/hub(.*) ws://localhost:3012/$1 [P,L] ProxyPass / http://localhost:9011/ SSLProxyEngine on ProxyPreserveHost On ProxyRequests Off RequestHeader set X-Real-IP %{REMOTE_ADDR}s

Now I can reach bitwarden als, but also as ip-address:9011.

So it looks like as if port 9011 has been opened in the firewall. But I do not see this in iptables -S. I do see some lines of docker. Did docker open this port to the outside?
How can I close 9011 for the outside world?

You would use -p; see

Oh it is that simple! Thank you jjlin
Should I also add this for 3012?

-p -p