From 53230e28b500aeac1a8ea6719a6e943a88c0ed35 Mon Sep 17 00:00:00 2001
From: Teng Zhang <zhangt2333@gmail.com>
Date: Sun, 10 May 2026 19:35:02 +0800
Subject: [PATCH 1/3] feat: add port security awareness panel to firewall page

---
 agent/app/api/v2/firewall.go                  |  23 ++
 agent/app/dto/firewall.go                     |  34 ++
 agent/app/service/firewall.go                 |   1 +
 agent/app/service/firewall_port_security.go   | 371 ++++++++++++++++++
 agent/router/ro_host.go                       |   1 +
 frontend/src/api/interface/host.ts            |  31 ++
 frontend/src/api/modules/host.ts              |   3 +
 frontend/src/lang/modules/en.ts               |  21 +
 frontend/src/lang/modules/es-es.ts            |  19 +
 frontend/src/lang/modules/ja.ts               |  19 +
 frontend/src/lang/modules/ko.ts               |  19 +
 frontend/src/lang/modules/ms.ts               |  19 +
 frontend/src/lang/modules/pt-br.ts            |  19 +
 frontend/src/lang/modules/ru.ts               |  19 +
 frontend/src/lang/modules/tr.ts               |  19 +
 frontend/src/lang/modules/zh-Hant.ts          |  19 +
 frontend/src/lang/modules/zh.ts               |  19 +
 .../host/firewall/port/awareness/index.vue    | 226 +++++++++++
 .../src/views/host/firewall/port/index.vue    |  11 +
 19 files changed, 893 insertions(+)
 create mode 100644 agent/app/service/firewall_port_security.go
 create mode 100644 frontend/src/views/host/firewall/port/awareness/index.vue

diff --git a/agent/app/api/v2/firewall.go b/agent/app/api/v2/firewall.go
index b36ddb871b1d..dde68c46ac20 100644
--- a/agent/app/api/v2/firewall.go
+++ b/agent/app/api/v2/firewall.go
@@ -337,3 +337,26 @@ func (b *BaseApi) LoadChainStatus(c *gin.Context) {
 
 	helper.SuccessWithData(c, iptablesService.LoadChainStatus(req))
 }
+
+// @Tags Firewall
+// @Summary Get port security overview
+// @Accept json
+// @Param request body dto.PortSecuritySearch true "request"
+// @Success 200 {object} dto.PortSecurityOverview
+// @Security ApiKeyAuth
+// @Security Timestamp
+// @Router /hosts/firewall/port/security [post]
+func (b *BaseApi) GetPortSecurity(c *gin.Context) {
+	var req dto.PortSecuritySearch
+	if err := helper.CheckBind(&req, c); err != nil {
+		return
+	}
+
+	data, err := firewallService.GetPortSecurityOverview(req)
+	if err != nil {
+		helper.InternalServer(c, err)
+		return
+	}
+
+	helper.SuccessWithData(c, data)
+}
diff --git a/agent/app/dto/firewall.go b/agent/app/dto/firewall.go
index d12a9656b877..363a4abb46e5 100644
--- a/agent/app/dto/firewall.go
+++ b/agent/app/dto/firewall.go
@@ -111,3 +111,37 @@ type IptablesChainStatus struct {
 	IsBind          bool   `json:"isBind"`
 	DefaultStrategy string `json:"defaultStrategy"`
 }
+
+type PortSecuritySearch struct {
+	Info   string `json:"info"`
+	Status string `json:"status"`
+}
+
+type PortSecurityOverview struct {
+	Items       []PortSecurityItem  `json:"items"`
+	Summary     PortSecuritySummary `json:"summary"`
+	FireActive  bool                `json:"fireActive"`
+	DockerExist bool                `json:"dockerExist"`
+}
+
+type PortSecuritySummary struct {
+	Total          int `json:"total"`
+	Protected      int `json:"protected"`
+	Unprotected    int `json:"unprotected"`
+	DockerBypassed int `json:"dockerBypassed"`
+	LocalOnly      int `json:"localOnly"`
+}
+
+type PortSecurityItem struct {
+	Port          uint32 `json:"port"`
+	Protocol      string `json:"protocol"`
+	BindAddress   string `json:"bindAddress"`
+	ProcessName   string `json:"processName"`
+	PID           int32  `json:"pid"`
+	SourceType    string `json:"sourceType"`
+	ContainerName string `json:"containerName"`
+	AppName       string `json:"appName"`
+	Status        string `json:"status"`
+	HasRule       bool   `json:"hasRule"`
+	RuleStrategy  string `json:"ruleStrategy"`
+}
diff --git a/agent/app/service/firewall.go b/agent/app/service/firewall.go
index b06c2d0e135a..65f395ef57be 100644
--- a/agent/app/service/firewall.go
+++ b/agent/app/service/firewall.go
@@ -34,6 +34,7 @@ type IFirewallService interface {
 	UpdateAddrRule(req dto.AddrRuleUpdate) error
 	UpdateDescription(req dto.UpdateFirewallDescription) error
 	BatchOperateRule(req dto.BatchRuleOperate) error
+	GetPortSecurityOverview(req dto.PortSecuritySearch) (*dto.PortSecurityOverview, error)
 }
 
 func NewIFirewallService() IFirewallService {
diff --git a/agent/app/service/firewall_port_security.go b/agent/app/service/firewall_port_security.go
new file mode 100644
index 000000000000..8680b76e096a
--- /dev/null
+++ b/agent/app/service/firewall_port_security.go
@@ -0,0 +1,371 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+
+	"github.com/1Panel-dev/1Panel/agent/app/dto"
+	"github.com/1Panel-dev/1Panel/agent/utils/docker"
+	"github.com/1Panel-dev/1Panel/agent/utils/firewall"
+	fireClient "github.com/1Panel-dev/1Panel/agent/utils/firewall/client"
+	"github.com/docker/docker/api/types/container"
+	"github.com/shirou/gopsutil/v4/net"
+	"github.com/shirou/gopsutil/v4/process"
+)
+
+type portKey struct {
+	port     uint32
+	protocol string
+}
+
+type dockerPortInfo struct {
+	containerName string
+	hostIP        string
+}
+
+type firewallRuleEntry struct {
+	strategy string
+	portStr  string
+	protocol string
+}
+
+// GetPortSecurityOverview scans all listening ports and cross-references them with
+// Docker container bindings and firewall rules to produce a security status overview.
+func (u *FirewallService) GetPortSecurityOverview(req dto.PortSecuritySearch) (*dto.PortSecurityOverview, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	var (
+		wg             sync.WaitGroup
+		connections    []net.ConnectionStat
+		containers     []container.Summary
+		firewallRules  []fireClient.FireInfo
+		firewallActive bool
+		dockerExists   bool
+		connectionErr  error
+		dockerErr      error
+		firewallErr    error
+	)
+
+	wg.Add(3)
+	go func() {
+		defer wg.Done()
+		connections, connectionErr = net.ConnectionsMaxWithContext(ctx, "inet", 32768)
+	}()
+	go func() {
+		defer wg.Done()
+		cli, err := docker.NewDockerClient()
+		if err != nil {
+			dockerErr = err
+			return
+		}
+		defer cli.Close()
+		dockerExists = true
+		containers, dockerErr = cli.ContainerList(ctx, container.ListOptions{All: false})
+	}()
+	go func() {
+		defer wg.Done()
+		fwClient, err := firewall.NewFirewallClient()
+		if err != nil {
+			firewallErr = err
+			return
+		}
+		firewallActive, _ = fwClient.Status()
+		firewallRules, firewallErr = fwClient.ListPort()
+	}()
+	wg.Wait()
+
+	if connectionErr != nil {
+		return nil, fmt.Errorf("failed to get listening ports: %w", connectionErr)
+	}
+
+	dockerPortMap := buildDockerPortMap(containers, dockerErr)
+	ruleIndex := buildFirewallRuleIndex(firewallRules, firewallErr)
+	appPortMap := buildAppPortMap(ctx)
+
+	seenIndex := make(map[portKey]int)
+	items := make([]dto.PortSecurityItem, 0)
+
+	for _, conn := range connections {
+		if conn.Pid == 0 {
+			continue
+		}
+		isListen := conn.Status == "LISTEN" && conn.Type == syscall.SOCK_STREAM
+		isUDP := conn.Type == syscall.SOCK_DGRAM && conn.Raddr.Port == 0
+		if !isListen && !isUDP {
+			continue
+		}
+
+		proto := "tcp"
+		if conn.Type == syscall.SOCK_DGRAM {
+			proto = "udp"
+		}
+
+		bindAddr := conn.Laddr.IP
+		if bindAddr == "" {
+			bindAddr = "0.0.0.0"
+		}
+
+		key := portKey{port: conn.Laddr.Port, protocol: proto}
+		if idx, exists := seenIndex[key]; exists {
+			if isWildcardAddress(bindAddr) && !isWildcardAddress(items[idx].BindAddress) {
+				items[idx].BindAddress = bindAddr
+			}
+			continue
+		}
+		seenIndex[key] = len(items)
+
+		item := dto.PortSecurityItem{
+			Port:        conn.Laddr.Port,
+			Protocol:    proto,
+			BindAddress: bindAddr,
+			ProcessName: getProcessNameByPID(conn.Pid),
+			PID:         conn.Pid,
+			SourceType:  "host",
+		}
+
+		if dInfo, ok := dockerPortMap[key]; ok {
+			item.SourceType = "docker"
+			item.ContainerName = dInfo.containerName
+			if dInfo.hostIP != "" {
+				item.BindAddress = dInfo.hostIP
+			}
+		}
+
+		if appName, ok := appPortMap[conn.Laddr.Port]; ok {
+			item.AppName = appName
+			if item.SourceType == "docker" {
+				item.SourceType = "appStore"
+			}
+		}
+
+		ruleStrategy, hasRule := matchFirewallRule(ruleIndex, conn.Laddr.Port, proto)
+		item.HasRule = hasRule
+		item.RuleStrategy = ruleStrategy
+
+		items = append(items, item)
+	}
+
+	for i := range items {
+		items[i].Status = determineStatus(items[i].BindAddress, items[i].SourceType, firewallActive, items[i].HasRule)
+	}
+
+	// Sort by status priority > protocol > port number
+	sort.Slice(items, func(i, j int) bool {
+		pi, pj := statusSortPriority(items[i].Status), statusSortPriority(items[j].Status)
+		if pi != pj {
+			return pi < pj
+		}
+		if items[i].Protocol != items[j].Protocol {
+			return items[i].Protocol < items[j].Protocol
+		}
+		return items[i].Port < items[j].Port
+	})
+
+	// Summary is computed before filtering so it reflects overall status
+	summary := dto.PortSecuritySummary{Total: len(items)}
+	for _, item := range items {
+		switch item.Status {
+		case "protected":
+			summary.Protected++
+		case "noRule":
+			summary.Unprotected++
+		case "dockerBypass":
+			summary.DockerBypassed++
+		case "localOnly":
+			summary.LocalOnly++
+		case "firewallInactive":
+			summary.Unprotected++
+		}
+	}
+
+	// Apply filters after summary (so summary reflects totals, filters narrow the list)
+	if req.Info != "" || req.Status != "" {
+		filtered := make([]dto.PortSecurityItem, 0)
+		keyword := strings.ToLower(req.Info)
+		for _, item := range items {
+			if req.Status != "" && item.Status != req.Status {
+				continue
+			}
+			if keyword != "" {
+				portStr := strconv.FormatUint(uint64(item.Port), 10)
+				if !strings.Contains(portStr, keyword) &&
+					!strings.Contains(strings.ToLower(item.ProcessName), keyword) &&
+					!strings.Contains(strings.ToLower(item.ContainerName), keyword) {
+					continue
+				}
+			}
+			filtered = append(filtered, item)
+		}
+		items = filtered
+	}
+
+	return &dto.PortSecurityOverview{
+		Items:       items,
+		Summary:     summary,
+		FireActive:  firewallActive,
+		DockerExist: dockerExists,
+	}, nil
+}
+
+// buildDockerPortMap creates a lookup map from host port to container info.
+func buildDockerPortMap(containers []container.Summary, err error) map[portKey]dockerPortInfo {
+	result := make(map[portKey]dockerPortInfo)
+	if err != nil || containers == nil {
+		return result
+	}
+	for _, c := range containers {
+		name := ""
+		if len(c.Names) > 0 {
+			name = strings.TrimPrefix(c.Names[0], "/")
+		}
+		for _, p := range c.Ports {
+			if p.PublicPort == 0 {
+				continue
+			}
+			key := portKey{port: uint32(p.PublicPort), protocol: p.Type}
+			result[key] = dockerPortInfo{
+				containerName: name,
+				hostIP:        p.IP,
+			}
+		}
+	}
+	return result
+}
+
+// buildFirewallRuleIndex converts firewall rules into a list for port matching.
+func buildFirewallRuleIndex(rules []fireClient.FireInfo, err error) []firewallRuleEntry {
+	if err != nil || rules == nil {
+		return nil
+	}
+	var entries []firewallRuleEntry
+	for _, r := range rules {
+		entries = append(entries, firewallRuleEntry{
+			strategy: r.Strategy,
+			portStr:  r.Port,
+			protocol: r.Protocol,
+		})
+	}
+	return entries
+}
+
+// buildAppPortMap creates a lookup map from port number to app name.
+func buildAppPortMap(ctx context.Context) map[uint32]string {
+	result := make(map[uint32]string)
+	apps, err := appInstallRepo.ListBy(ctx)
+	if err != nil {
+		return result
+	}
+	for _, app := range apps {
+		if app.HttpPort > 0 {
+			result[uint32(app.HttpPort)] = app.App.Key
+		}
+		if app.HttpsPort > 0 {
+			result[uint32(app.HttpsPort)] = app.App.Key
+		}
+	}
+	systemPort, err := settingRepo.Get(settingRepo.WithByKey("ServerPort"))
+	if err == nil && systemPort.Value != "" {
+		if port, e := strconv.ParseUint(systemPort.Value, 10, 32); e == nil {
+			result[uint32(port)] = "1panel"
+		}
+	}
+	return result
+}
+
+// matchFirewallRule checks if a port has a matching firewall rule, respecting protocol.
+func matchFirewallRule(rules []firewallRuleEntry, port uint32, proto string) (string, bool) {
+	portStr := strconv.FormatUint(uint64(port), 10)
+	for _, r := range rules {
+		if r.protocol != "" && r.protocol != "tcp/udp" && r.protocol != proto {
+			continue
+		}
+		if portMatchesRule(portStr, port, r.portStr) {
+			return r.strategy, true
+		}
+	}
+	return "", false
+}
+
+func portMatchesRule(portStr string, portNum uint32, rulePort string) bool {
+	if rulePort == portStr {
+		return true
+	}
+	sep := ""
+	if strings.Contains(rulePort, "-") {
+		sep = "-"
+	} else if strings.Contains(rulePort, ":") {
+		sep = ":"
+	}
+	if sep != "" {
+		parts := strings.Split(rulePort, sep)
+		if len(parts) == 2 {
+			start, err1 := strconv.ParseUint(strings.TrimSpace(parts[0]), 10, 32)
+			end, err2 := strconv.ParseUint(strings.TrimSpace(parts[1]), 10, 32)
+			if err1 == nil && err2 == nil && uint64(portNum) >= start && uint64(portNum) <= end {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// determineStatus assigns a security status to a port based on its bind address,
+// source type, firewall state, and rule coverage. Priority order:
+// 1. Non-wildcard bind address → localOnly
+// 2. Docker/appStore source → dockerBypass
+// 3. Firewall inactive → firewallInactive
+// 4. Has matching rule → protected
+// 5. Otherwise → noRule
+func determineStatus(bindAddr, sourceType string, firewallActive, hasRule bool) string {
+	if !isWildcardAddress(bindAddr) {
+		return "localOnly"
+	}
+	if sourceType == "docker" || sourceType == "appStore" {
+		return "dockerBypass"
+	}
+	if !firewallActive {
+		return "firewallInactive"
+	}
+	if hasRule {
+		return "protected"
+	}
+	return "noRule"
+}
+
+func statusSortPriority(status string) int {
+	switch status {
+	case "firewallInactive":
+		return 0
+	case "dockerBypass":
+		return 1
+	case "noRule":
+		return 2
+	case "protected":
+		return 3
+	case "localOnly":
+		return 4
+	default:
+		return 5
+	}
+}
+
+// isWildcardAddress returns true if the address binds to all interfaces.
+func isWildcardAddress(addr string) bool {
+	return addr == "0.0.0.0" || addr == "::" || addr == ""
+}
+
+func getProcessNameByPID(pid int32) string {
+	proc, err := process.NewProcess(pid)
+	if err != nil {
+		return ""
+	}
+	name, _ := proc.Name()
+	return name
+}
diff --git a/agent/router/ro_host.go b/agent/router/ro_host.go
index bb4446842870..b2fd38e197cf 100644
--- a/agent/router/ro_host.go
+++ b/agent/router/ro_host.go
@@ -37,6 +37,7 @@ func (s *HostRouter) InitRouter(Router *gin.RouterGroup) {
 		hostRouter.POST("/firewall/filter/rule/batch", baseApi.BatchOperateFilterRule)
 		hostRouter.POST("/firewall/filter/operate", baseApi.OperateFilterChain)
 		hostRouter.POST("/firewall/filter/chain/status", baseApi.LoadChainStatus)
+		hostRouter.POST("/firewall/port/security", baseApi.GetPortSecurity)
 
 		hostRouter.POST("/monitor/search", baseApi.LoadMonitor)
 		hostRouter.POST("/monitor/gpu/search", baseApi.LoadGPUMonitor)
diff --git a/frontend/src/api/interface/host.ts b/frontend/src/api/interface/host.ts
index f6ab0343cd6e..f37118104055 100644
--- a/frontend/src/api/interface/host.ts
+++ b/frontend/src/api/interface/host.ts
@@ -140,6 +140,37 @@ export namespace Host {
         rules: Array<RulePort>;
     }
 
+    export interface PortSecuritySearch {
+        info: string;
+        status: string;
+    }
+    export interface PortSecurityItem {
+        port: number;
+        protocol: string;
+        bindAddress: string;
+        processName: string;
+        pid: number;
+        sourceType: string;
+        containerName: string;
+        appName: string;
+        status: string;
+        hasRule: boolean;
+        ruleStrategy: string;
+    }
+    export interface PortSecuritySummary {
+        total: number;
+        protected: number;
+        unprotected: number;
+        dockerBypassed: number;
+        localOnly: number;
+    }
+    export interface PortSecurityOverview {
+        items: Array<PortSecurityItem>;
+        summary: PortSecuritySummary;
+        fireActive: boolean;
+        dockerExist: boolean;
+    }
+
     export interface MonitorSetting {
         defaultNetwork: string;
         defaultIO: string;
diff --git a/frontend/src/api/modules/host.ts b/frontend/src/api/modules/host.ts
index 3357db136be9..8aca89176696 100644
--- a/frontend/src/api/modules/host.ts
+++ b/frontend/src/api/modules/host.ts
@@ -43,6 +43,9 @@ export const updateFirewallDescription = (params: Host.UpdateDescription) => {
 export const batchOperateRule = (params: Host.BatchRule) => {
     return http.post(`/hosts/firewall/batch`, params, TimeoutEnum.T_60S);
 };
+export const getPortSecurity = (params: Host.PortSecuritySearch) => {
+    return http.post<Host.PortSecurityOverview>(`/hosts/firewall/port/security`, params, TimeoutEnum.T_40S);
+};
 
 // Iptables Filter
 export const searchFilterRules = (params: Host.IptablesFilterRuleSearch) => {
diff --git a/frontend/src/lang/modules/en.ts b/frontend/src/lang/modules/en.ts
index df08fc3e6a75..419d68ff4026 100644
--- a/frontend/src/lang/modules/en.ts
+++ b/frontend/src/lang/modules/en.ts
@@ -3361,6 +3361,27 @@ const message = {
         cookieBlockList: 'Cookie blocklist',
         dockerHelper:
             'The current firewall cannot disable container port mapping. Installed applications can go to the [Installed] page to edit application parameters and configure port release rules.',
+        portSecurity: 'Port Security Scan',
+        portSecurityAllSafe: 'All listening ports are protected',
+        dockerBypass: 'Docker Bypass',
+        dockerBypassTip:
+            'This port is exposed via Docker container mapping, bypassing firewall INPUT chain rules. Adding port rules cannot block external access.',
+        dockerBypassSuggest:
+            'Suggest changing port mapping to 127.0.0.1:{0}:{0} in docker-compose.yml and restart the container.',
+        dockerBypassHasRule: 'Firewall rule exists ({0} {1}/{2}), but it is not effective.',
+        noRule: 'No Rule',
+        localOnly: 'Local Only',
+        protected: 'Protected',
+        firewallInactive: 'Firewall Inactive',
+        goToApp: 'Go to App Settings',
+        dockerBypassDetail: 'How to fix',
+        createRuleQuick: 'Create Rule',
+        portSecurityRiskLabel: 'risk(s)',
+        portSecurityPendingLabel: 'pending',
+        portSecuritySafeLabel: 'safe',
+        portSecuritySource: 'Process / Container',
+        portSecurityBindAddr: 'Bind Address',
+        dockerLabel: 'Container',
         iptablesHelper:
             'Detected that the system is using {0} firewall. To switch to iptables, please uninstall it manually first!',
         quickJump: 'Quick access',
diff --git a/frontend/src/lang/modules/es-es.ts b/frontend/src/lang/modules/es-es.ts
index b3728ff5c03c..7fc80003fc3c 100644
--- a/frontend/src/lang/modules/es-es.ts
+++ b/frontend/src/lang/modules/es-es.ts
@@ -3394,6 +3394,25 @@ const message = {
         cookieBlockList: 'Lista negra de cookies',
         dockerHelper:
             'El firewall actual no puede deshabilitar el mapeo de puertos de contenedores. Las aplicaciones instaladas pueden ir a la página [Instaladas] para editar los parámetros de la aplicación y configurar reglas de liberación de puertos.',
+        portSecurity: 'Análisis de Seguridad de Puertos',
+        portSecurityAllSafe: 'Todos los puertos en escucha están protegidos',
+        dockerBypass: 'Bypass de Docker',
+        dockerBypassTip: 'Este puerto está expuesto mediante el mapeo de contenedor Docker, eludiendo las reglas de la cadena INPUT del cortafuegos. Añadir reglas de puerto no puede bloquear el acceso externo.',
+        dockerBypassSuggest: 'Se recomienda cambiar el mapeo de puertos a 127.0.0.1:{0}:{0} en docker-compose.yml y reiniciar el contenedor.',
+        dockerBypassHasRule: 'Existe una regla de cortafuegos ({0} {1}/{2}), pero no es efectiva.',
+        noRule: 'Sin Regla',
+        localOnly: 'Solo Local',
+        protected: 'Protegido',
+        firewallInactive: 'Cortafuegos Inactivo',
+        goToApp: 'Ir a Configuración de la App',
+        dockerBypassDetail: 'Cómo solucionarlo',
+        createRuleQuick: 'Crear Regla',
+        portSecurityRiskLabel: 'riesgo(s)',
+        portSecurityPendingLabel: 'pendiente(s)',
+        portSecuritySafeLabel: 'seguro(s)',
+        portSecuritySource: 'Proceso / Contenedor',
+        portSecurityBindAddr: 'Dirección de Enlace',
+        dockerLabel: 'Contenedor',
         iptablesHelper:
             'Se detectó que el sistema está usando el firewall {0}. Para cambiar a iptables, ¡desinstálelo manualmente primero!',
         quickJump: 'Acceso rápido',
diff --git a/frontend/src/lang/modules/ja.ts b/frontend/src/lang/modules/ja.ts
index ac49b4333f9e..daf5a5fedde0 100644
--- a/frontend/src/lang/modules/ja.ts
+++ b/frontend/src/lang/modules/ja.ts
@@ -3384,6 +3384,25 @@ const message = {
         cookieBlockList: 'クッキーブロックリスト',
         dockerHelper:
             '現在のファイアウォールではコンテナのポートマッピングを無効にできません。インストール済みアプリケーションは【インストール済み】ページでアプリケーションパラメータを編集し、ポート開放ルールを設定できます。',
+        portSecurity: 'ポートセキュリティスキャン',
+        portSecurityAllSafe: 'すべてのリスニングポートは保護されています',
+        dockerBypass: 'Docker バイパス',
+        dockerBypassTip: 'このポートは Docker コンテナマッピングにより公開されており、ファイアウォールの INPUT チェーンルールをバイパスしています。ポートルールを追加しても外部アクセスをブロックできません。',
+        dockerBypassSuggest: 'docker-compose.yml でポートマッピングを 127.0.0.1:{0}:{0} に変更し、コンテナを再起動することを推奨します。',
+        dockerBypassHasRule: 'ファイアウォールルールが存在します（{0} {1}/{2}）が、実際には有効ではありません。',
+        noRule: 'ルールなし',
+        localOnly: 'ローカルのみ',
+        protected: '保護済み',
+        firewallInactive: 'ファイアウォール無効',
+        goToApp: 'アプリ設定へ移動',
+        dockerBypassDetail: '修正方法',
+        createRuleQuick: 'ルールを作成',
+        portSecurityRiskLabel: '件のリスク',
+        portSecurityPendingLabel: '件の未対応',
+        portSecuritySafeLabel: '件の安全',
+        portSecuritySource: 'プロセス / コンテナ',
+        portSecurityBindAddr: 'バインドアドレス',
+        dockerLabel: 'コンテナ',
         iptablesHelper:
             'システムが {0} ファイアウォールを使用していることを検出しました。iptables に切り替えるには、まず手動でアンインストールしてください！',
         quickJump: 'クイックアクセス',
diff --git a/frontend/src/lang/modules/ko.ts b/frontend/src/lang/modules/ko.ts
index b221b0a9c41e..2917b9f3d37f 100644
--- a/frontend/src/lang/modules/ko.ts
+++ b/frontend/src/lang/modules/ko.ts
@@ -3306,6 +3306,25 @@ const message = {
         cookieBlockList: '쿠키 차단 목록',
         dockerHelper:
             '현재 방화벽은 컨테이너 포트 매핑을 비활성화할 수 없습니다. 설치된 애플리케이션은 [설치됨] 페이지에서 애플리케이션 매개변수를 편집하고 포트 해제 규칙을 구성할 수 있습니다.',
+        portSecurity: '포트 보안 스캔',
+        portSecurityAllSafe: '모든 수신 포트가 보호되고 있습니다',
+        dockerBypass: 'Docker 우회',
+        dockerBypassTip: '이 포트는 Docker 컨테이너 매핑을 통해 노출되어 방화벽 INPUT 체인 규칙을 우회합니다. 포트 규칙을 추가해도 외부 접근을 차단할 수 없습니다.',
+        dockerBypassSuggest: 'docker-compose.yml에서 포트 매핑을 127.0.0.1:{0}:{0}으로 변경하고 컨테이너를 재시작하는 것을 권장합니다.',
+        dockerBypassHasRule: '방화벽 규칙이 존재하지만({0} {1}/{2}), 실제로 적용되지 않습니다.',
+        noRule: '규칙 없음',
+        localOnly: '로컬 전용',
+        protected: '보호됨',
+        firewallInactive: '방화벽 비활성',
+        goToApp: '앱 설정으로 이동',
+        dockerBypassDetail: '해결 방법',
+        createRuleQuick: '규칙 생성',
+        portSecurityRiskLabel: '개 위험',
+        portSecurityPendingLabel: '개 보류',
+        portSecuritySafeLabel: '개 안전',
+        portSecuritySource: '프로세스 / 컨테이너',
+        portSecurityBindAddr: '바인드 주소',
+        dockerLabel: '컨테이너',
         iptablesHelper:
             '시스템이 {0} 방화벽을 사용 중인 것으로 감지되었습니다. iptables로 전환하려면 먼저 수동으로 제거하세요!',
         used: '사용됨',
diff --git a/frontend/src/lang/modules/ms.ts b/frontend/src/lang/modules/ms.ts
index 59e8eed9d2e5..113859a2c6cc 100644
--- a/frontend/src/lang/modules/ms.ts
+++ b/frontend/src/lang/modules/ms.ts
@@ -3432,6 +3432,25 @@ const message = {
         cookieBlockList: 'Senarai blok Cookie',
         dockerHelper:
             'Firewall semasa tidak boleh melumpuhkan pemetaan port bekas. Aplikasi yang dipasang boleh pergi ke halaman [Dipasang] untuk mengedit parameter aplikasi dan mengkonfigurasi peraturan pelepasan port.',
+        portSecurity: 'Imbasan Keselamatan Port',
+        portSecurityAllSafe: 'Semua port yang mendengar telah dilindungi',
+        dockerBypass: 'Pintasan Docker',
+        dockerBypassTip: 'Port ini didedahkan melalui pemetaan kontena Docker, memintas peraturan rantai INPUT firewall. Menambah peraturan port tidak dapat menyekat akses luaran.',
+        dockerBypassSuggest: 'Disarankan untuk menukar pemetaan port kepada 127.0.0.1:{0}:{0} dalam docker-compose.yml dan mulakan semula kontena.',
+        dockerBypassHasRule: 'Peraturan firewall wujud ({0} {1}/{2}), tetapi ia tidak berkesan.',
+        noRule: 'Tiada Peraturan',
+        localOnly: 'Setempat Sahaja',
+        protected: 'Dilindungi',
+        firewallInactive: 'Firewall Tidak Aktif',
+        goToApp: 'Pergi ke Tetapan Aplikasi',
+        dockerBypassDetail: 'Cara membaiki',
+        createRuleQuick: 'Cipta Peraturan',
+        portSecurityRiskLabel: 'risiko',
+        portSecurityPendingLabel: 'belum selesai',
+        portSecuritySafeLabel: 'selamat',
+        portSecuritySource: 'Proses / Kontena',
+        portSecurityBindAddr: 'Alamat Bind',
+        dockerLabel: 'Kontena',
         iptablesHelper:
             'Dikesan sistem menggunakan firewall {0}. Untuk beralih ke iptables, sila nyahpasang secara manual dahulu!',
         quickJump: 'Akses pantas',
diff --git a/frontend/src/lang/modules/pt-br.ts b/frontend/src/lang/modules/pt-br.ts
index 1c8d80d86dcd..00bd27c88f29 100644
--- a/frontend/src/lang/modules/pt-br.ts
+++ b/frontend/src/lang/modules/pt-br.ts
@@ -3569,6 +3569,25 @@ const message = {
         cookieBlockList: 'Lista de cookies bloqueados',
         dockerHelper:
             'O firewall atual não pode desativar o mapeamento de porta de contêiner. Aplicativos instalados podem ir para a página [Instalados] para editar parâmetros do aplicativo e configurar regras de liberação de porta.',
+        portSecurity: 'Verificação de Segurança de Portas',
+        portSecurityAllSafe: 'Todas as portas em escuta estão protegidas',
+        dockerBypass: 'Bypass do Docker',
+        dockerBypassTip: 'Esta porta está exposta via mapeamento de contêiner Docker, ignorando as regras da cadeia INPUT do firewall. Adicionar regras de porta não pode bloquear o acesso externo.',
+        dockerBypassSuggest: 'Sugerimos alterar o mapeamento de porta para 127.0.0.1:{0}:{0} no docker-compose.yml e reiniciar o contêiner.',
+        dockerBypassHasRule: 'Regra de firewall existente ({0} {1}/{2}), mas não está em vigor.',
+        noRule: 'Sem Regra',
+        localOnly: 'Apenas Local',
+        protected: 'Protegido',
+        firewallInactive: 'Firewall Inativo',
+        goToApp: 'Ir para Configurações do App',
+        dockerBypassDetail: 'Como corrigir',
+        createRuleQuick: 'Criar Regra',
+        portSecurityRiskLabel: 'risco(s)',
+        portSecurityPendingLabel: 'pendente(s)',
+        portSecuritySafeLabel: 'seguro(s)',
+        portSecuritySource: 'Processo / Contêiner',
+        portSecurityBindAddr: 'Endereço de Bind',
+        dockerLabel: 'Contêiner',
         iptablesHelper:
             'Detectado que o sistema está usando o firewall {0}. Para mudar para iptables, desinstale-o manualmente primeiro!',
         quickJump: 'Acesso rápido',
diff --git a/frontend/src/lang/modules/ru.ts b/frontend/src/lang/modules/ru.ts
index 07010dd34921..e1f0d6c6d6aa 100644
--- a/frontend/src/lang/modules/ru.ts
+++ b/frontend/src/lang/modules/ru.ts
@@ -3426,6 +3426,25 @@ const message = {
         cookieBlockList: 'Черный список Cookie',
         dockerHelper:
             'Текущий брандмауэр не может отключить сопоставление портов контейнера. Установленные приложения могут перейти на страницу [Установленные], чтобы редактировать параметры приложения и настраивать правила открытия портов.',
+        portSecurity: 'Сканирование безопасности портов',
+        portSecurityAllSafe: 'Все прослушиваемые порты защищены',
+        dockerBypass: 'Обход Docker',
+        dockerBypassTip: 'Этот порт открыт через маппинг контейнера Docker, минуя правила цепочки INPUT брандмауэра. Добавление правил для порта не может заблокировать внешний доступ.',
+        dockerBypassSuggest: 'Рекомендуется изменить маппинг порта на 127.0.0.1:{0}:{0} в docker-compose.yml и перезапустить контейнер.',
+        dockerBypassHasRule: 'Правило брандмауэра существует ({0} {1}/{2}), но оно не действует.',
+        noRule: 'Нет правила',
+        localOnly: 'Только локально',
+        protected: 'Защищён',
+        firewallInactive: 'Брандмауэр неактивен',
+        goToApp: 'Перейти к настройкам приложения',
+        dockerBypassDetail: 'Как исправить',
+        createRuleQuick: 'Создать правило',
+        portSecurityRiskLabel: 'риск(ов)',
+        portSecurityPendingLabel: 'в ожидании',
+        portSecuritySafeLabel: 'безопасно',
+        portSecuritySource: 'Процесс / Контейнер',
+        portSecurityBindAddr: 'Адрес привязки',
+        dockerLabel: 'Контейнер',
         iptablesHelper:
             'Обнаружено, что система использует брандмауэр {0}. Чтобы переключиться на iptables, сначала удалите его вручную!',
         quickJump: 'Быстрый доступ',
diff --git a/frontend/src/lang/modules/tr.ts b/frontend/src/lang/modules/tr.ts
index 2d3484cd6814..c1ee99aac507 100644
--- a/frontend/src/lang/modules/tr.ts
+++ b/frontend/src/lang/modules/tr.ts
@@ -3427,6 +3427,25 @@ const message = {
         cookieBlockList: 'Çerez engelleme listesi',
         dockerHelper:
             'Mevcut güvenlik duvarı konteyner port eşlemesini devre dışı bırakamaz. Yüklü uygulamalar, uygulama parametrelerini düzenlemek ve port serbest bırakma kurallarını yapılandırmak için [Yüklü] sayfasına gidebilir.',
+        portSecurity: 'Port Güvenlik Taraması',
+        portSecurityAllSafe: 'Tüm dinlenen portlar korunuyor',
+        dockerBypass: 'Docker Atlatma',
+        dockerBypassTip: 'Bu port, Docker konteyner eşlemesi aracılığıyla açığa çıkmıştır ve güvenlik duvarı INPUT zinciri kurallarını atlatmaktadır. Port kuralı eklemek dış erişimi engelleyemez.',
+        dockerBypassSuggest: 'docker-compose.yml dosyasında port eşlemesini 127.0.0.1:{0}:{0} olarak değiştirip konteyneri yeniden başlatmanız önerilir.',
+        dockerBypassHasRule: 'Güvenlik duvarı kuralı mevcut ({0} {1}/{2}), ancak etkili değil.',
+        noRule: 'Kural Yok',
+        localOnly: 'Yalnızca Yerel',
+        protected: 'Korumalı',
+        firewallInactive: 'Güvenlik Duvarı Devre Dışı',
+        goToApp: 'Uygulama Ayarlarına Git',
+        dockerBypassDetail: 'Nasıl düzeltilir',
+        createRuleQuick: 'Kural Oluştur',
+        portSecurityRiskLabel: 'risk',
+        portSecurityPendingLabel: 'beklemede',
+        portSecuritySafeLabel: 'güvenli',
+        portSecuritySource: 'İşlem / Konteyner',
+        portSecurityBindAddr: 'Bağlama Adresi',
+        dockerLabel: 'Konteyner',
         iptablesHelper:
             "Sistemin {0} güvenlik duvarını kullandığı tespit edildi. iptables'a geçmek için lütfen önce manuel olarak kaldırın!",
         quickJump: 'Hızlı erişim',
diff --git a/frontend/src/lang/modules/zh-Hant.ts b/frontend/src/lang/modules/zh-Hant.ts
index bf21b1333222..67ca47be6aef 100644
--- a/frontend/src/lang/modules/zh-Hant.ts
+++ b/frontend/src/lang/modules/zh-Hant.ts
@@ -3112,6 +3112,25 @@ const message = {
         postCheck: 'POST 參數校驗',
         cookieBlockList: 'Cookie 黑名單',
         dockerHelper: '目前防火牆無法停用容器埠映射，已安裝應用可前往【已安裝】頁面編輯應用參數，設定埠放行規則。',
+        portSecurity: '連接埠安全檢測',
+        portSecurityAllSafe: '所有監聽連接埠已受保護',
+        dockerBypass: 'Docker 繞過',
+        dockerBypassTip: '此連接埠透過 Docker 容器映射，繞過防火牆 INPUT 規則。新增連接埠規則無法阻止外部存取。',
+        dockerBypassSuggest: '建議在 docker-compose.yml 中將連接埠映射改為 127.0.0.1:{0}:{0}，然後重啟容器。',
+        dockerBypassHasRule: '已有防火牆規則（{0} {1}/{2}），但該規則實際不生效。',
+        noRule: '未配置規則',
+        localOnly: '僅本機',
+        protected: '已保護',
+        firewallInactive: '防火牆未啟用',
+        goToApp: '前往容器設定',
+        dockerBypassDetail: '如何修復',
+        createRuleQuick: '建立規則',
+        portSecurityRiskLabel: '個風險',
+        portSecurityPendingLabel: '個待處理',
+        portSecuritySafeLabel: '個已安全',
+        portSecuritySource: '處理程序 / 容器',
+        portSecurityBindAddr: '綁定位址',
+        dockerLabel: '容器',
         iptablesHelper: '偵測到系統正在使用 {0} 防火牆，如需切換至 iptables，請先手動解除安裝',
         quickJump: '快速跳轉',
         used: '已使用',
diff --git a/frontend/src/lang/modules/zh.ts b/frontend/src/lang/modules/zh.ts
index 8dfb25a94b9b..fa20e32f22f7 100644
--- a/frontend/src/lang/modules/zh.ts
+++ b/frontend/src/lang/modules/zh.ts
@@ -3112,6 +3112,25 @@ const message = {
         cookieBlockList: 'Cookie 黑名单',
 
         dockerHelper: '当前防火墙无法禁用容器端口映射，已安装应用可前往【已安装】页面编辑应用参数，配置端口放行规则。',
+        portSecurity: '端口安全检测',
+        portSecurityAllSafe: '所有监听端口已保护',
+        dockerBypass: 'Docker 绕过',
+        dockerBypassTip: '此端口通过 Docker 容器映射，绕过防火墙 INPUT 规则。添加端口规则无法阻止外部访问。',
+        dockerBypassSuggest: '建议在 docker-compose.yml 中将端口映射改为 127.0.0.1:{0}:{0}，然后重启容器。',
+        dockerBypassHasRule: '已有防火墙规则（{0} {1}/{2}），但该规则实际不生效。',
+        noRule: '未配规则',
+        localOnly: '仅本机',
+        protected: '已保护',
+        firewallInactive: '防火墙未启用',
+        goToApp: '前往容器设置',
+        dockerBypassDetail: '如何修复',
+        createRuleQuick: '创建规则',
+        portSecurityRiskLabel: '个风险',
+        portSecurityPendingLabel: '个待处理',
+        portSecuritySafeLabel: '个已安全',
+        portSecuritySource: '进程 / 容器',
+        portSecurityBindAddr: '绑定地址',
+        dockerLabel: '容器',
         iptablesHelper: '检测到系统正在使用 {0} 防火墙，如需切换至 iptables，请先手动卸载！',
         quickJump: '快速跳转',
         used: '已使用',
diff --git a/frontend/src/views/host/firewall/port/awareness/index.vue b/frontend/src/views/host/firewall/port/awareness/index.vue
new file mode 100644
index 000000000000..a6fc34a3f8a3
--- /dev/null
+++ b/frontend/src/views/host/firewall/port/awareness/index.vue
@@ -0,0 +1,226 @@
+<template>
+    <LayoutContent :title="$t('firewall.portSecurity')">
+        <template #leftToolBar>
+            <span style="font-weight: 500; font-size: 14px;">{{ $t('firewall.portSecurity') }}</span>
+            <template v-if="!loading && overview">
+                <el-tag v-if="overview.summary.dockerBypassed > 0" type="danger">
+                    {{ overview.summary.dockerBypassed }} {{ $t('firewall.portSecurityRiskLabel') }}
+                </el-tag>
+                <el-tag v-if="overview.summary.unprotected > 0" type="warning">
+                    {{ overview.summary.unprotected }} {{ $t('firewall.portSecurityPendingLabel') }}
+                </el-tag>
+                <el-tag type="success">
+                    {{ overview.summary.protected + overview.summary.localOnly }}
+                    {{ $t('firewall.portSecuritySafeLabel') }}
+                </el-tag>
+            </template>
+        </template>
+        <template #rightToolBar>
+            <el-select v-model="searchStatus" @change="search" clearable class="p-w-200">
+                <template #prefix>{{ $t('commons.table.status') }}</template>
+                <el-option :label="$t('commons.table.all')" value=""></el-option>
+                <el-option :label="$t('firewall.dockerBypass')" value="dockerBypass"></el-option>
+                <el-option :label="$t('firewall.noRule')" value="noRule"></el-option>
+                <el-option :label="$t('firewall.protected')" value="protected"></el-option>
+                <el-option :label="$t('firewall.localOnly')" value="localOnly"></el-option>
+            </el-select>
+            <TableSearch @search="search()" v-model:searchName="searchName" />
+            <TableRefresh @search="search()" />
+            <TableSetting title="firewall-port-security-refresh" @search="search()" />
+        </template>
+        <template #main>
+            <div v-if="allData.length === 0 && !loading && !hasError && !searchName && !searchStatus" class="all-safe">
+                <el-icon color="var(--el-color-success)"><CircleCheckFilled /></el-icon>
+                <span>{{ $t('firewall.portSecurityAllSafe') }}</span>
+            </div>
+            <ComplexTable
+                v-else
+                :pagination-config="paginationConfig"
+                :data="tableData"
+                @search="() => {}"
+            >
+                <el-table-column :label="$t('commons.table.port')" :min-width="70" prop="port" />
+                <el-table-column :label="$t('commons.table.protocol')" :min-width="70" prop="protocol" />
+                <el-table-column :label="$t('firewall.portSecuritySource')" :min-width="120">
+                    <template #default="{ row }">
+                        <span>{{ row.containerName || row.processName || '-' }}</span>
+                        <el-tag
+                            v-if="row.sourceType === 'docker' || row.sourceType === 'appStore'"
+                            class="source-tag--container"
+                            effect="plain"
+                            style="margin-left: 4px;"
+                        >
+                            <svg-icon iconName="p-docker" style="width: 12px; height: 12px; margin-right: 2px; vertical-align: middle;" />
+                            {{ $t('firewall.dockerLabel') }}
+                        </el-tag>
+                        <el-tag v-if="row.appName" type="info" effect="plain" style="margin-left: 4px;">
+                            {{ row.appName }}
+                        </el-tag>
+                    </template>
+                </el-table-column>
+                <el-table-column :label="$t('firewall.portSecurityBindAddr')" :min-width="80" prop="bindAddress" show-overflow-tooltip />
+                <el-table-column :label="$t('commons.table.status')" :min-width="120">
+                    <template #default="{ row }">
+                        <el-tag :type="statusTagType(row.status)">
+                            {{ $t('firewall.' + row.status) }}
+                        </el-tag>
+                        <el-tooltip
+                            v-if="row.status === 'dockerBypass' && row.hasRule"
+                            :content="$t('firewall.dockerBypassHasRule', [row.ruleStrategy, row.port, row.protocol])"
+                            placement="top"
+                        >
+                            <el-icon color="var(--el-color-warning)" style="margin-left: 4px; cursor: pointer;">
+                                <WarningFilled />
+                            </el-icon>
+                        </el-tooltip>
+                    </template>
+                </el-table-column>
+                <el-table-column :label="$t('commons.table.operate')" width="200px" fixed="right">
+                    <template #default="{ row }">
+                        <el-button
+                            v-if="row.status === 'noRule' || row.status === 'firewallInactive'"
+                            link
+                            type="primary"
+                            @click="onCreateRule(row)"
+                        >
+                            {{ $t('firewall.createRuleQuick') }}
+                        </el-button>
+                        <el-popover
+                            v-else-if="row.status === 'dockerBypass'"
+                            placement="left"
+                            :width="320"
+                            trigger="click"
+                        >
+                            <template #reference>
+                                <el-button link type="primary">
+                                    {{ $t('firewall.dockerBypassDetail') }}
+                                </el-button>
+                            </template>
+                            <div class="docker-tip">
+                                <p>{{ $t('firewall.dockerBypassTip') }}</p>
+                                <p class="suggest">{{ $t('firewall.dockerBypassSuggest', [row.port]) }}</p>
+                                <el-button
+                                    v-if="row.sourceType === 'appStore'"
+                                    type="primary"
+                                    size="small"
+                                    @click="goToApp"
+                                    style="margin-top: 8px;"
+                                >
+                                    {{ $t('firewall.goToApp') }}
+                                </el-button>
+                            </div>
+                        </el-popover>
+                    </template>
+                </el-table-column>
+            </ComplexTable>
+        </template>
+    </LayoutContent>
+</template>
+
+<script setup lang="ts">
+import { ref, computed, reactive, onMounted } from 'vue';
+import { CircleCheckFilled, WarningFilled } from '@element-plus/icons-vue';
+import { getPortSecurity } from '@/api/modules/host';
+import { Host } from '@/api/interface/host';
+import { routerToName } from '@/utils/router';
+
+const emit = defineEmits(['createRule']);
+
+const loading = ref(false);
+const hasError = ref(false);
+const searchName = ref('');
+const searchStatus = ref('');
+const allData = ref<Host.PortSecurityItem[]>([]);
+const overview = ref<Host.PortSecurityOverview>();
+
+const paginationConfig = reactive({
+    cacheSizeKey: 'firewall-port-security-page-size',
+    currentPage: 1,
+    pageSize: Number(localStorage.getItem('firewall-port-security-page-size')) || 5,
+    total: 0,
+});
+
+const tableData = computed(() => {
+    const start = (paginationConfig.currentPage - 1) * paginationConfig.pageSize;
+    return allData.value.slice(start, start + paginationConfig.pageSize);
+});
+
+const statusTagType = (status: string) => {
+    switch (status) {
+        case 'dockerBypass':
+        case 'firewallInactive':
+            return 'danger';
+        case 'noRule':
+            return 'warning';
+        case 'protected':
+            return 'success';
+        case 'localOnly':
+            return 'info';
+        default:
+            return 'info';
+    }
+};
+
+const search = async () => {
+    if (loading.value) return;
+    loading.value = true;
+    hasError.value = false;
+    await getPortSecurity({ info: searchName.value, status: searchStatus.value })
+        .then((res) => {
+            overview.value = res.data;
+            allData.value = res.data.items || [];
+            paginationConfig.total = allData.value.length;
+            paginationConfig.currentPage = 1;
+        })
+        .catch(() => {
+            hasError.value = true;
+            overview.value = undefined;
+            allData.value = [];
+            paginationConfig.total = 0;
+        })
+        .finally(() => {
+            loading.value = false;
+        });
+};
+
+const onCreateRule = (row: Host.PortSecurityItem) => {
+    emit('createRule', { port: String(row.port), protocol: row.protocol });
+};
+
+const goToApp = () => {
+    routerToName('AppInstalled');
+};
+
+onMounted(() => {
+    search();
+});
+</script>
+
+<style scoped lang="scss">
+.all-safe {
+    display: flex;
+    align-items: center;
+    gap: 6px;
+    padding: 16px 0;
+    color: var(--el-color-success);
+    font-size: 14px;
+}
+
+.source-tag--container {
+    --el-tag-bg-color: var(--el-color-primary-light-9);
+    --el-tag-border-color: var(--el-color-primary-light-7);
+    --el-tag-text-color: var(--el-color-primary);
+}
+
+.docker-tip {
+    font-size: 13px;
+    line-height: 1.6;
+    p {
+        margin: 0 0 6px;
+    }
+    .suggest {
+        color: var(--el-color-warning);
+        font-size: 12px;
+    }
+}
+</style>
diff --git a/frontend/src/views/host/firewall/port/index.vue b/frontend/src/views/host/firewall/port/index.vue
index 5d5c98f95307..83e2bb07c4de 100644
--- a/frontend/src/views/host/firewall/port/index.vue
+++ b/frontend/src/views/host/firewall/port/index.vue
@@ -21,6 +21,12 @@
                     <span>{{ $t('firewall.basicStatus', ['1PANEL_BASIC']) }}</span>
                 </el-card>
 
+                <PortAwareness
+                    v-if="isActive && isBind"
+                    style="margin-top: 7px; margin-bottom: 7px;"
+                    @create-rule="onCreateRuleFromAwareness"
+                />
+
                 <LayoutContent :title="$t('firewall.portRule', 2)" :class="{ mask: !isActive || !isBind }">
                     <template #prompt>
                         <div class="mb-2" v-if="fireName !== 'iptables'">
@@ -159,6 +165,7 @@ import OperateDialog from '@/views/host/firewall/port/operate/index.vue';
 import ImportDialog from '@/views/host/firewall/port/import/index.vue';
 import FireStatus from '@/views/host/firewall/status/index.vue';
 import ProcessDetail from '@/views/host/process/process/detail/index.vue';
+import PortAwareness from '@/views/host/firewall/port/awareness/index.vue';
 import { onMounted, reactive, ref } from 'vue';
 import { batchOperateRule, searchFireRule, updateFirewallDescription, updatePortRule } from '@/api/modules/host';
 import { getListeningProcess } from '@/api/modules/process';
@@ -287,6 +294,10 @@ const quickJump = () => {
     routerToName('AppInstalled');
 };
 
+const onCreateRuleFromAwareness = (info: { port: string; protocol: string }) => {
+    onOpenDialog('create', { port: info.port, protocol: info.protocol, strategy: 'accept', operation: 'add', source: 'anyWhere' });
+};
+
 const onChangeStatus = async (row: Host.RuleInfo, status: string) => {
     let operation =
         status === 'accept'

From 6fa1d07965245a90b7e9b76172733d727e97c7c1 Mon Sep 17 00:00:00 2001
From: Teng Zhang <zhangt2333@gmail.com>
Date: Mon, 11 May 2026 14:36:44 +0800
Subject: [PATCH 2/3] feat: add port security awareness panel to firewall page

---
 agent/app/service/firewall_port_security.go   | 150 ++++++++++++++----
 frontend/src/lang/modules/en.ts               |  27 ++--
 frontend/src/lang/modules/es-es.ts            |  26 +--
 frontend/src/lang/modules/ja.ts               |  22 +--
 frontend/src/lang/modules/ko.ts               |  22 +--
 frontend/src/lang/modules/ms.ts               |  26 +--
 frontend/src/lang/modules/pt-br.ts            |  26 +--
 frontend/src/lang/modules/ru.ts               |  24 +--
 frontend/src/lang/modules/tr.ts               |  26 +--
 frontend/src/lang/modules/zh-Hant.ts          |  21 +--
 frontend/src/lang/modules/zh.ts               |  21 +--
 .../host/firewall/port/awareness/index.vue    | 126 +++++++++++----
 .../src/views/host/firewall/port/index.vue    |   4 +-
 13 files changed, 352 insertions(+), 169 deletions(-)

diff --git a/agent/app/service/firewall_port_security.go b/agent/app/service/firewall_port_security.go
index 8680b76e096a..4d6586b30e90 100644
--- a/agent/app/service/firewall_port_security.go
+++ b/agent/app/service/firewall_port_security.go
@@ -3,6 +3,7 @@ package service
 import (
 	"context"
 	"fmt"
+	stdnet "net"
 	"sort"
 	"strconv"
 	"strings"
@@ -87,7 +88,7 @@ func (u *FirewallService) GetPortSecurityOverview(req dto.PortSecuritySearch) (*
 
 	dockerPortMap := buildDockerPortMap(containers, dockerErr)
 	ruleIndex := buildFirewallRuleIndex(firewallRules, firewallErr)
-	appPortMap := buildAppPortMap(ctx)
+	appPortMap, systemPort := buildAppPortMaps(ctx)
 
 	seenIndex := make(map[portKey]int)
 	items := make([]dto.PortSecurityItem, 0)
@@ -138,12 +139,18 @@ func (u *FirewallService) GetPortSecurityOverview(req dto.PortSecuritySearch) (*
 			}
 		}
 
-		if appName, ok := appPortMap[conn.Laddr.Port]; ok {
-			item.AppName = appName
-			if item.SourceType == "docker" {
+		// Only tag with App Store appName when the port is actually owned by a Docker
+		// container — prevents mis-labelling a host process that happens to listen on
+		// a port matching a stopped app's record.
+		if item.SourceType == "docker" {
+			if appName, ok := appPortMap[conn.Laddr.Port]; ok {
+				item.AppName = appName
 				item.SourceType = "appStore"
 			}
 		}
+		if systemPort != 0 && conn.Laddr.Port == systemPort {
+			item.AppName = "1panel"
+		}
 
 		ruleStrategy, hasRule := matchFirewallRule(ruleIndex, conn.Laddr.Port, proto)
 		item.HasRule = hasRule
@@ -152,8 +159,38 @@ func (u *FirewallService) GetPortSecurityOverview(req dto.PortSecuritySearch) (*
 		items = append(items, item)
 	}
 
+	// Add synthetic entries for Docker container ports that have no host-side LISTEN
+	// socket — happens when Docker daemon runs with `userland-proxy: false`, where
+	// traffic is forwarded purely via iptables DNAT and no docker-proxy process binds
+	// the host port. Without this, those ports silently disappear from the overview.
+	for key, dInfo := range dockerPortMap {
+		if _, exists := seenIndex[key]; exists {
+			continue
+		}
+		bindAddr := dInfo.hostIP
+		if bindAddr == "" {
+			bindAddr = "0.0.0.0"
+		}
+		item := dto.PortSecurityItem{
+			Port:          key.port,
+			Protocol:      key.protocol,
+			BindAddress:   bindAddr,
+			ContainerName: dInfo.containerName,
+			SourceType:    "docker",
+		}
+		if appName, ok := appPortMap[key.port]; ok {
+			item.AppName = appName
+			item.SourceType = "appStore"
+		}
+		ruleStrategy, hasRule := matchFirewallRule(ruleIndex, key.port, key.protocol)
+		item.HasRule = hasRule
+		item.RuleStrategy = ruleStrategy
+		seenIndex[key] = len(items)
+		items = append(items, item)
+	}
+
 	for i := range items {
-		items[i].Status = determineStatus(items[i].BindAddress, items[i].SourceType, firewallActive, items[i].HasRule)
+		items[i].Status = determineStatus(items[i].BindAddress, items[i].SourceType, firewallActive, items[i].HasRule, items[i].RuleStrategy)
 	}
 
 	// Sort by status priority > protocol > port number
@@ -172,7 +209,7 @@ func (u *FirewallService) GetPortSecurityOverview(req dto.PortSecuritySearch) (*
 	summary := dto.PortSecuritySummary{Total: len(items)}
 	for _, item := range items {
 		switch item.Status {
-		case "protected":
+		case "protected", "blocked":
 			summary.Protected++
 		case "noRule":
 			summary.Unprotected++
@@ -197,7 +234,8 @@ func (u *FirewallService) GetPortSecurityOverview(req dto.PortSecuritySearch) (*
 				portStr := strconv.FormatUint(uint64(item.Port), 10)
 				if !strings.Contains(portStr, keyword) &&
 					!strings.Contains(strings.ToLower(item.ProcessName), keyword) &&
-					!strings.Contains(strings.ToLower(item.ContainerName), keyword) {
+					!strings.Contains(strings.ToLower(item.ContainerName), keyword) &&
+					!strings.Contains(strings.ToLower(item.AppName), keyword) {
 					continue
 				}
 			}
@@ -255,42 +293,58 @@ func buildFirewallRuleIndex(rules []fireClient.FireInfo, err error) []firewallRu
 	return entries
 }
 
-// buildAppPortMap creates a lookup map from port number to app name.
-func buildAppPortMap(ctx context.Context) map[uint32]string {
-	result := make(map[uint32]string)
+// buildAppPortMaps returns two lookup tables: ports owned by App Store installed
+// apps (keyed by host port → app key), and the 1Panel system port. The system
+// port is returned separately because it's served by a host process (1panel-core),
+// not a Docker container, so it must not go through the docker→appStore promotion.
+func buildAppPortMaps(ctx context.Context) (map[uint32]string, uint32) {
+	appPorts := make(map[uint32]string)
 	apps, err := appInstallRepo.ListBy(ctx)
-	if err != nil {
-		return result
-	}
-	for _, app := range apps {
-		if app.HttpPort > 0 {
-			result[uint32(app.HttpPort)] = app.App.Key
-		}
-		if app.HttpsPort > 0 {
-			result[uint32(app.HttpsPort)] = app.App.Key
+	if err == nil {
+		for _, app := range apps {
+			if app.HttpPort > 0 {
+				appPorts[uint32(app.HttpPort)] = app.App.Key
+			}
+			if app.HttpsPort > 0 {
+				appPorts[uint32(app.HttpsPort)] = app.App.Key
+			}
 		}
 	}
-	systemPort, err := settingRepo.Get(settingRepo.WithByKey("ServerPort"))
-	if err == nil && systemPort.Value != "" {
-		if port, e := strconv.ParseUint(systemPort.Value, 10, 32); e == nil {
-			result[uint32(port)] = "1panel"
+	var systemPort uint32
+	if setting, err := settingRepo.Get(settingRepo.WithByKey("ServerPort")); err == nil && setting.Value != "" {
+		if port, e := strconv.ParseUint(setting.Value, 10, 32); e == nil {
+			systemPort = uint32(port)
 		}
 	}
-	return result
+	return appPorts, systemPort
 }
 
 // matchFirewallRule checks if a port has a matching firewall rule, respecting protocol.
+// When multiple rules match (e.g. an accept and a drop on the same port), drop/reject
+// takes precedence over accept. This is security-conservative — if any deny rule applies,
+// the port is reported as denied. It also keeps the result deterministic regardless of
+// the underlying backend's listing order (firewalld lists --list-ports accepts before
+// rich-rule drops, iptables lists by line number, ufw by rule index).
 func matchFirewallRule(rules []firewallRuleEntry, port uint32, proto string) (string, bool) {
 	portStr := strconv.FormatUint(uint64(port), 10)
+	acceptStrategy := ""
+	foundAccept := false
 	for _, r := range rules {
 		if r.protocol != "" && r.protocol != "tcp/udp" && r.protocol != proto {
 			continue
 		}
-		if portMatchesRule(portStr, port, r.portStr) {
+		if !portMatchesRule(portStr, port, r.portStr) {
+			continue
+		}
+		if r.strategy == "drop" || r.strategy == "reject" {
 			return r.strategy, true
 		}
+		if !foundAccept {
+			acceptStrategy = r.strategy
+			foundAccept = true
+		}
 	}
-	return "", false
+	return acceptStrategy, foundAccept
 }
 
 func portMatchesRule(portStr string, portNum uint32, rulePort string) bool {
@@ -318,13 +372,19 @@ func portMatchesRule(portStr string, portNum uint32, rulePort string) bool {
 
 // determineStatus assigns a security status to a port based on its bind address,
 // source type, firewall state, and rule coverage. Priority order:
-// 1. Non-wildcard bind address → localOnly
-// 2. Docker/appStore source → dockerBypass
+// 1. Loopback or link-local bind (127.0.0.0/8, ::1, fe80::/10) → localOnly (unreachable from outside)
+// 2. Docker/appStore source with wildcard bind → dockerBypass (rule applies to INPUT
+//    chain but Docker traffic goes through FORWARD, so the rule is silently ineffective)
 // 3. Firewall inactive → firewallInactive
-// 4. Has matching rule → protected
-// 5. Otherwise → noRule
-func determineStatus(bindAddr, sourceType string, firewallActive, hasRule bool) string {
-	if !isWildcardAddress(bindAddr) {
+// 4. Matching rule with drop/reject strategy → blocked
+// 5. Matching rule with accept strategy → protected
+// 6. Otherwise → noRule
+//
+// Note: a port bound to a specific non-loopback host IP (e.g. the server's public NIC IP
+// or the docker bridge gateway 172.17.0.1) is reachable on that interface and therefore
+// goes through the firewall-rule check rather than being labelled localOnly.
+func determineStatus(bindAddr, sourceType string, firewallActive, hasRule bool, ruleStrategy string) string {
+	if isLoopbackOrLinkLocal(bindAddr) {
 		return "localOnly"
 	}
 	if sourceType == "docker" || sourceType == "appStore" {
@@ -334,6 +394,9 @@ func determineStatus(bindAddr, sourceType string, firewallActive, hasRule bool)
 		return "firewallInactive"
 	}
 	if hasRule {
+		if ruleStrategy == "drop" || ruleStrategy == "reject" {
+			return "blocked"
+		}
 		return "protected"
 	}
 	return "noRule"
@@ -349,10 +412,12 @@ func statusSortPriority(status string) int {
 		return 2
 	case "protected":
 		return 3
-	case "localOnly":
+	case "blocked":
 		return 4
-	default:
+	case "localOnly":
 		return 5
+	default:
+		return 6
 	}
 }
 
@@ -361,6 +426,23 @@ func isWildcardAddress(addr string) bool {
 	return addr == "0.0.0.0" || addr == "::" || addr == ""
 }
 
+// isLoopbackOrLinkLocal returns true if the address is provably unreachable from
+// outside the host: loopback (127.0.0.0/8, ::1) or link-local (169.254.0.0/16,
+// fe80::/10). Wildcard addresses (0.0.0.0, ::) are NOT loopback — they bind every
+// interface including public ones. A specific non-loopback IP (a public NIC IP, a
+// docker bridge gateway like 172.17.0.1, etc.) is reachable on that interface and
+// must go through firewall-rule evaluation, not be labelled localOnly outright.
+func isLoopbackOrLinkLocal(addr string) bool {
+	if addr == "" {
+		return false
+	}
+	ip := stdnet.ParseIP(addr)
+	if ip == nil {
+		return false
+	}
+	return ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast()
+}
+
 func getProcessNameByPID(pid int32) string {
 	proc, err := process.NewProcess(pid)
 	if err != nil {
diff --git a/frontend/src/lang/modules/en.ts b/frontend/src/lang/modules/en.ts
index 419d68ff4026..ecd685b2ffb5 100644
--- a/frontend/src/lang/modules/en.ts
+++ b/frontend/src/lang/modules/en.ts
@@ -3362,23 +3362,28 @@ const message = {
         dockerHelper:
             'The current firewall cannot disable container port mapping. Installed applications can go to the [Installed] page to edit application parameters and configure port release rules.',
         portSecurity: 'Port Security Scan',
-        portSecurityAllSafe: 'All listening ports are protected',
+        portSecurityAllSafe: 'No issues found in this scan',
+        portSecurityScanLimit:
+            'Scope: host-side listeners and Docker default bridge networking. macvlan, ipvlan, overlay, Swarm ingress and external NAT/load-balancer paths are not evaluated.',
+        portSecurityScanFailed: 'Port security scan failed. Please refresh and try again.',
         dockerBypass: 'Docker Bypass',
         dockerBypassTip:
-            'This port is exposed via Docker container mapping, bypassing firewall INPUT chain rules. Adding port rules cannot block external access.',
+            'Docker publishes this port directly, so firewall rules on the host do not apply. To limit access, bind the container to 127.0.0.1 or a specific interface.',
         dockerBypassSuggest:
-            'Suggest changing port mapping to 127.0.0.1:{0}:{0} in docker-compose.yml and restart the container.',
-        dockerBypassHasRule: 'Firewall rule exists ({0} {1}/{2}), but it is not effective.',
-        noRule: 'No Rule',
-        localOnly: 'Local Only',
-        protected: 'Protected',
-        firewallInactive: 'Firewall Inactive',
+            'Change the port mapping to 127.0.0.1:{0}:{0} (instead of binding to all interfaces) and restart the container.',
+        dockerBypassHasRule:
+            'A firewall rule exists for this port ({0} {1}/{2}), but it does not apply to Docker-published ports.',
+        noRule: 'No matching rule',
+        localOnly: 'Local only',
+        protected: 'Allowed by rule',
+        blocked: 'Blocked by rule',
+        firewallInactive: 'Firewall not running',
         goToApp: 'Go to App Settings',
         dockerBypassDetail: 'How to fix',
         createRuleQuick: 'Create Rule',
-        portSecurityRiskLabel: 'risk(s)',
-        portSecurityPendingLabel: 'pending',
-        portSecuritySafeLabel: 'safe',
+        portSecurityRiskLabel: 'need fixing',
+        portSecurityPendingLabel: 'to review',
+        portSecuritySafeLabel: 'OK',
         portSecuritySource: 'Process / Container',
         portSecurityBindAddr: 'Bind Address',
         dockerLabel: 'Container',
diff --git a/frontend/src/lang/modules/es-es.ts b/frontend/src/lang/modules/es-es.ts
index 7fc80003fc3c..60028f7e3cb0 100644
--- a/frontend/src/lang/modules/es-es.ts
+++ b/frontend/src/lang/modules/es-es.ts
@@ -3395,21 +3395,25 @@ const message = {
         dockerHelper:
             'El firewall actual no puede deshabilitar el mapeo de puertos de contenedores. Las aplicaciones instaladas pueden ir a la página [Instaladas] para editar los parámetros de la aplicación y configurar reglas de liberación de puertos.',
         portSecurity: 'Análisis de Seguridad de Puertos',
-        portSecurityAllSafe: 'Todos los puertos en escucha están protegidos',
+        portSecurityAllSafe: 'No se encontraron problemas en este análisis',
+        portSecurityScanLimit:
+            'Ámbito: escuchadores del host y la red bridge por defecto de Docker. macvlan, ipvlan, overlay, Swarm ingress y rutas externas de NAT/balanceador no se evalúan.',
+        portSecurityScanFailed: 'El análisis de seguridad de puertos ha fallado. Actualice y vuelva a intentarlo.',
         dockerBypass: 'Bypass de Docker',
-        dockerBypassTip: 'Este puerto está expuesto mediante el mapeo de contenedor Docker, eludiendo las reglas de la cadena INPUT del cortafuegos. Añadir reglas de puerto no puede bloquear el acceso externo.',
-        dockerBypassSuggest: 'Se recomienda cambiar el mapeo de puertos a 127.0.0.1:{0}:{0} en docker-compose.yml y reiniciar el contenedor.',
-        dockerBypassHasRule: 'Existe una regla de cortafuegos ({0} {1}/{2}), pero no es efectiva.',
-        noRule: 'Sin Regla',
-        localOnly: 'Solo Local',
-        protected: 'Protegido',
-        firewallInactive: 'Cortafuegos Inactivo',
+        dockerBypassTip: 'Este puerto es publicado directamente por Docker, por lo que las reglas del cortafuegos del host no se aplican. Para restringir el acceso, vincule el contenedor a 127.0.0.1 o a una interfaz específica.',
+        dockerBypassSuggest: 'Cambie el mapeo de puertos a 127.0.0.1:{0}:{0} (en lugar de vincular a todas las interfaces) y reinicie el contenedor.',
+        dockerBypassHasRule: 'Existe una regla de cortafuegos para este puerto ({0} {1}/{2}), pero no se aplica a los puertos publicados por Docker.',
+        noRule: 'Sin regla coincidente',
+        localOnly: 'Solo local',
+        protected: 'Permitido por regla',
+        blocked: 'Bloqueado por regla',
+        firewallInactive: 'Cortafuegos no está en ejecución',
         goToApp: 'Ir a Configuración de la App',
         dockerBypassDetail: 'Cómo solucionarlo',
         createRuleQuick: 'Crear Regla',
-        portSecurityRiskLabel: 'riesgo(s)',
-        portSecurityPendingLabel: 'pendiente(s)',
-        portSecuritySafeLabel: 'seguro(s)',
+        portSecurityRiskLabel: 'a corregir',
+        portSecurityPendingLabel: 'para revisar',
+        portSecuritySafeLabel: 'OK',
         portSecuritySource: 'Proceso / Contenedor',
         portSecurityBindAddr: 'Dirección de Enlace',
         dockerLabel: 'Contenedor',
diff --git a/frontend/src/lang/modules/ja.ts b/frontend/src/lang/modules/ja.ts
index daf5a5fedde0..7054c9779219 100644
--- a/frontend/src/lang/modules/ja.ts
+++ b/frontend/src/lang/modules/ja.ts
@@ -3385,21 +3385,25 @@ const message = {
         dockerHelper:
             '現在のファイアウォールではコンテナのポートマッピングを無効にできません。インストール済みアプリケーションは【インストール済み】ページでアプリケーションパラメータを編集し、ポート開放ルールを設定できます。',
         portSecurity: 'ポートセキュリティスキャン',
-        portSecurityAllSafe: 'すべてのリスニングポートは保護されています',
+        portSecurityAllSafe: '今回のスキャンでは問題は検出されませんでした',
+        portSecurityScanLimit:
+            '検出範囲：ホスト側リスナーと Docker デフォルトの bridge ネットワーク。macvlan / ipvlan / overlay / Swarm ingress、および外部 NAT・ロードバランサ経路は評価されません。',
+        portSecurityScanFailed: 'ポートセキュリティスキャンに失敗しました。更新して再試行してください。',
         dockerBypass: 'Docker バイパス',
-        dockerBypassTip: 'このポートは Docker コンテナマッピングにより公開されており、ファイアウォールの INPUT チェーンルールをバイパスしています。ポートルールを追加しても外部アクセスをブロックできません。',
-        dockerBypassSuggest: 'docker-compose.yml でポートマッピングを 127.0.0.1:{0}:{0} に変更し、コンテナを再起動することを推奨します。',
-        dockerBypassHasRule: 'ファイアウォールルールが存在します（{0} {1}/{2}）が、実際には有効ではありません。',
-        noRule: 'ルールなし',
+        dockerBypassTip: 'このポートは Docker によって直接公開されているため、ホスト上のファイアウォールルールは適用されません。アクセスを制限するには、コンテナを 127.0.0.1 または特定のインターフェースにバインドしてください。',
+        dockerBypassSuggest: 'ポートマッピングを 127.0.0.1:{0}:{0} に変更し（すべてのインターフェースにバインドしない）、コンテナを再起動してください。',
+        dockerBypassHasRule: 'このポートにはファイアウォールルール（{0} {1}/{2}）が存在しますが、Docker が公開するポートには適用されません。',
+        noRule: '一致するルールなし',
         localOnly: 'ローカルのみ',
-        protected: '保護済み',
+        protected: 'ルールで許可',
+        blocked: 'ルールで遮断',
         firewallInactive: 'ファイアウォール無効',
         goToApp: 'アプリ設定へ移動',
         dockerBypassDetail: '修正方法',
         createRuleQuick: 'ルールを作成',
-        portSecurityRiskLabel: '件のリスク',
-        portSecurityPendingLabel: '件の未対応',
-        portSecuritySafeLabel: '件の安全',
+        portSecurityRiskLabel: '件要修正',
+        portSecurityPendingLabel: '件要確認',
+        portSecuritySafeLabel: '件正常',
         portSecuritySource: 'プロセス / コンテナ',
         portSecurityBindAddr: 'バインドアドレス',
         dockerLabel: 'コンテナ',
diff --git a/frontend/src/lang/modules/ko.ts b/frontend/src/lang/modules/ko.ts
index 2917b9f3d37f..66565299f7cb 100644
--- a/frontend/src/lang/modules/ko.ts
+++ b/frontend/src/lang/modules/ko.ts
@@ -3307,21 +3307,25 @@ const message = {
         dockerHelper:
             '현재 방화벽은 컨테이너 포트 매핑을 비활성화할 수 없습니다. 설치된 애플리케이션은 [설치됨] 페이지에서 애플리케이션 매개변수를 편집하고 포트 해제 규칙을 구성할 수 있습니다.',
         portSecurity: '포트 보안 스캔',
-        portSecurityAllSafe: '모든 수신 포트가 보호되고 있습니다',
+        portSecurityAllSafe: '이번 스캔에서 문제가 발견되지 않았습니다',
+        portSecurityScanLimit:
+            '검사 범위: 호스트 리스너와 Docker 기본 bridge 네트워크. macvlan / ipvlan / overlay / Swarm ingress 및 외부 NAT・로드밸런서 경로는 평가되지 않습니다.',
+        portSecurityScanFailed: '포트 보안 스캔에 실패했습니다. 새로고침 후 다시 시도하세요.',
         dockerBypass: 'Docker 우회',
-        dockerBypassTip: '이 포트는 Docker 컨테이너 매핑을 통해 노출되어 방화벽 INPUT 체인 규칙을 우회합니다. 포트 규칙을 추가해도 외부 접근을 차단할 수 없습니다.',
-        dockerBypassSuggest: 'docker-compose.yml에서 포트 매핑을 127.0.0.1:{0}:{0}으로 변경하고 컨테이너를 재시작하는 것을 권장합니다.',
-        dockerBypassHasRule: '방화벽 규칙이 존재하지만({0} {1}/{2}), 실제로 적용되지 않습니다.',
-        noRule: '규칙 없음',
+        dockerBypassTip: '이 포트는 Docker가 직접 게시한 것으로, 호스트의 방화벽 규칙이 적용되지 않습니다. 접근을 제한하려면 컨테이너를 127.0.0.1 또는 특정 인터페이스에 바인드하세요.',
+        dockerBypassSuggest: '포트 매핑을 127.0.0.1:{0}:{0}으로 변경(모든 인터페이스에 바인딩하지 않음)하고 컨테이너를 재시작하세요.',
+        dockerBypassHasRule: '이 포트에 방화벽 규칙({0} {1}/{2})이 있지만 Docker가 게시한 포트에는 적용되지 않습니다.',
+        noRule: '일치하는 규칙 없음',
         localOnly: '로컬 전용',
-        protected: '보호됨',
+        protected: '규칙 허용',
+        blocked: '규칙 차단',
         firewallInactive: '방화벽 비활성',
         goToApp: '앱 설정으로 이동',
         dockerBypassDetail: '해결 방법',
         createRuleQuick: '규칙 생성',
-        portSecurityRiskLabel: '개 위험',
-        portSecurityPendingLabel: '개 보류',
-        portSecuritySafeLabel: '개 안전',
+        portSecurityRiskLabel: '건 수정 필요',
+        portSecurityPendingLabel: '건 검토 필요',
+        portSecuritySafeLabel: '건 정상',
         portSecuritySource: '프로세스 / 컨테이너',
         portSecurityBindAddr: '바인드 주소',
         dockerLabel: '컨테이너',
diff --git a/frontend/src/lang/modules/ms.ts b/frontend/src/lang/modules/ms.ts
index 113859a2c6cc..9389854db3aa 100644
--- a/frontend/src/lang/modules/ms.ts
+++ b/frontend/src/lang/modules/ms.ts
@@ -3433,21 +3433,25 @@ const message = {
         dockerHelper:
             'Firewall semasa tidak boleh melumpuhkan pemetaan port bekas. Aplikasi yang dipasang boleh pergi ke halaman [Dipasang] untuk mengedit parameter aplikasi dan mengkonfigurasi peraturan pelepasan port.',
         portSecurity: 'Imbasan Keselamatan Port',
-        portSecurityAllSafe: 'Semua port yang mendengar telah dilindungi',
+        portSecurityAllSafe: 'Tiada masalah ditemui dalam imbasan ini',
+        portSecurityScanLimit:
+            'Skop: pendengar pada hos dan rangkaian bridge lalai Docker. macvlan, ipvlan, overlay, Swarm ingress dan laluan NAT/penyeimbang beban luaran tidak dinilai.',
+        portSecurityScanFailed: 'Imbasan keselamatan port gagal. Sila muat semula dan cuba lagi.',
         dockerBypass: 'Pintasan Docker',
-        dockerBypassTip: 'Port ini didedahkan melalui pemetaan kontena Docker, memintas peraturan rantai INPUT firewall. Menambah peraturan port tidak dapat menyekat akses luaran.',
-        dockerBypassSuggest: 'Disarankan untuk menukar pemetaan port kepada 127.0.0.1:{0}:{0} dalam docker-compose.yml dan mulakan semula kontena.',
-        dockerBypassHasRule: 'Peraturan firewall wujud ({0} {1}/{2}), tetapi ia tidak berkesan.',
-        noRule: 'Tiada Peraturan',
-        localOnly: 'Setempat Sahaja',
-        protected: 'Dilindungi',
-        firewallInactive: 'Firewall Tidak Aktif',
+        dockerBypassTip: 'Port ini diterbitkan secara langsung oleh Docker, jadi peraturan firewall pada hos tidak terpakai. Untuk menyekat akses, ikat kontena kepada 127.0.0.1 atau antara muka tertentu.',
+        dockerBypassSuggest: 'Ubah pemetaan port kepada 127.0.0.1:{0}:{0} (bukan mengikat kepada semua antara muka) dan mulakan semula kontena.',
+        dockerBypassHasRule: 'Terdapat peraturan firewall untuk port ini ({0} {1}/{2}), tetapi ia tidak terpakai pada port yang diterbitkan oleh Docker.',
+        noRule: 'Tiada peraturan sepadan',
+        localOnly: 'Setempat sahaja',
+        protected: 'Dibenarkan oleh peraturan',
+        blocked: 'Disekat oleh peraturan',
+        firewallInactive: 'Firewall tidak berjalan',
         goToApp: 'Pergi ke Tetapan Aplikasi',
         dockerBypassDetail: 'Cara membaiki',
         createRuleQuick: 'Cipta Peraturan',
-        portSecurityRiskLabel: 'risiko',
-        portSecurityPendingLabel: 'belum selesai',
-        portSecuritySafeLabel: 'selamat',
+        portSecurityRiskLabel: 'perlu dibaiki',
+        portSecurityPendingLabel: 'untuk disemak',
+        portSecuritySafeLabel: 'OK',
         portSecuritySource: 'Proses / Kontena',
         portSecurityBindAddr: 'Alamat Bind',
         dockerLabel: 'Kontena',
diff --git a/frontend/src/lang/modules/pt-br.ts b/frontend/src/lang/modules/pt-br.ts
index 00bd27c88f29..d25a8ffef28e 100644
--- a/frontend/src/lang/modules/pt-br.ts
+++ b/frontend/src/lang/modules/pt-br.ts
@@ -3570,21 +3570,25 @@ const message = {
         dockerHelper:
             'O firewall atual não pode desativar o mapeamento de porta de contêiner. Aplicativos instalados podem ir para a página [Instalados] para editar parâmetros do aplicativo e configurar regras de liberação de porta.',
         portSecurity: 'Verificação de Segurança de Portas',
-        portSecurityAllSafe: 'Todas as portas em escuta estão protegidas',
+        portSecurityAllSafe: 'Nenhum problema encontrado nesta verificação',
+        portSecurityScanLimit:
+            'Escopo: escutadores no host e a rede bridge padrão do Docker. macvlan, ipvlan, overlay, Swarm ingress e caminhos externos de NAT/balanceador de carga não são avaliados.',
+        portSecurityScanFailed: 'Falha na verificação de segurança de portas. Atualize e tente novamente.',
         dockerBypass: 'Bypass do Docker',
-        dockerBypassTip: 'Esta porta está exposta via mapeamento de contêiner Docker, ignorando as regras da cadeia INPUT do firewall. Adicionar regras de porta não pode bloquear o acesso externo.',
-        dockerBypassSuggest: 'Sugerimos alterar o mapeamento de porta para 127.0.0.1:{0}:{0} no docker-compose.yml e reiniciar o contêiner.',
-        dockerBypassHasRule: 'Regra de firewall existente ({0} {1}/{2}), mas não está em vigor.',
-        noRule: 'Sem Regra',
-        localOnly: 'Apenas Local',
-        protected: 'Protegido',
-        firewallInactive: 'Firewall Inativo',
+        dockerBypassTip: 'Esta porta é publicada diretamente pelo Docker, portanto as regras de firewall no host não se aplicam. Para restringir o acesso, vincule o contêiner a 127.0.0.1 ou a uma interface específica.',
+        dockerBypassSuggest: 'Altere o mapeamento de porta para 127.0.0.1:{0}:{0} (em vez de vincular a todas as interfaces) e reinicie o contêiner.',
+        dockerBypassHasRule: 'Existe uma regra de firewall para esta porta ({0} {1}/{2}), mas ela não se aplica a portas publicadas pelo Docker.',
+        noRule: 'Sem regra correspondente',
+        localOnly: 'Apenas local',
+        protected: 'Permitido por regra',
+        blocked: 'Bloqueado por regra',
+        firewallInactive: 'Firewall não está em execução',
         goToApp: 'Ir para Configurações do App',
         dockerBypassDetail: 'Como corrigir',
         createRuleQuick: 'Criar Regra',
-        portSecurityRiskLabel: 'risco(s)',
-        portSecurityPendingLabel: 'pendente(s)',
-        portSecuritySafeLabel: 'seguro(s)',
+        portSecurityRiskLabel: 'a corrigir',
+        portSecurityPendingLabel: 'para revisar',
+        portSecuritySafeLabel: 'OK',
         portSecuritySource: 'Processo / Contêiner',
         portSecurityBindAddr: 'Endereço de Bind',
         dockerLabel: 'Contêiner',
diff --git a/frontend/src/lang/modules/ru.ts b/frontend/src/lang/modules/ru.ts
index e1f0d6c6d6aa..d98692d507c7 100644
--- a/frontend/src/lang/modules/ru.ts
+++ b/frontend/src/lang/modules/ru.ts
@@ -3427,21 +3427,25 @@ const message = {
         dockerHelper:
             'Текущий брандмауэр не может отключить сопоставление портов контейнера. Установленные приложения могут перейти на страницу [Установленные], чтобы редактировать параметры приложения и настраивать правила открытия портов.',
         portSecurity: 'Сканирование безопасности портов',
-        portSecurityAllSafe: 'Все прослушиваемые порты защищены',
+        portSecurityAllSafe: 'В этом сканировании проблем не обнаружено',
+        portSecurityScanLimit:
+            'Область сканирования: хост-слушатели и стандартная сеть Docker bridge. macvlan, ipvlan, overlay, Swarm ingress и внешние пути NAT/балансировщика не оцениваются.',
+        portSecurityScanFailed: 'Сканирование безопасности портов не удалось. Обновите страницу и попробуйте снова.',
         dockerBypass: 'Обход Docker',
-        dockerBypassTip: 'Этот порт открыт через маппинг контейнера Docker, минуя правила цепочки INPUT брандмауэра. Добавление правил для порта не может заблокировать внешний доступ.',
-        dockerBypassSuggest: 'Рекомендуется изменить маппинг порта на 127.0.0.1:{0}:{0} в docker-compose.yml и перезапустить контейнер.',
-        dockerBypassHasRule: 'Правило брандмауэра существует ({0} {1}/{2}), но оно не действует.',
-        noRule: 'Нет правила',
+        dockerBypassTip: 'Этот порт публикуется Docker напрямую, поэтому правила брандмауэра на хосте к нему не применяются. Чтобы ограничить доступ, привяжите контейнер к 127.0.0.1 или конкретному интерфейсу.',
+        dockerBypassSuggest: 'Измените маппинг порта на 127.0.0.1:{0}:{0} (вместо привязки ко всем интерфейсам) и перезапустите контейнер.',
+        dockerBypassHasRule: 'Для этого порта существует правило брандмауэра ({0} {1}/{2}), но оно не применяется к портам, опубликованным Docker.',
+        noRule: 'Нет соответствующего правила',
         localOnly: 'Только локально',
-        protected: 'Защищён',
-        firewallInactive: 'Брандмауэр неактивен',
+        protected: 'Разрешено правилом',
+        blocked: 'Заблокировано правилом',
+        firewallInactive: 'Брандмауэр не работает',
         goToApp: 'Перейти к настройкам приложения',
         dockerBypassDetail: 'Как исправить',
         createRuleQuick: 'Создать правило',
-        portSecurityRiskLabel: 'риск(ов)',
-        portSecurityPendingLabel: 'в ожидании',
-        portSecuritySafeLabel: 'безопасно',
+        portSecurityRiskLabel: 'требует исправления',
+        portSecurityPendingLabel: 'на проверку',
+        portSecuritySafeLabel: 'в норме',
         portSecuritySource: 'Процесс / Контейнер',
         portSecurityBindAddr: 'Адрес привязки',
         dockerLabel: 'Контейнер',
diff --git a/frontend/src/lang/modules/tr.ts b/frontend/src/lang/modules/tr.ts
index c1ee99aac507..e52d8197c16d 100644
--- a/frontend/src/lang/modules/tr.ts
+++ b/frontend/src/lang/modules/tr.ts
@@ -3428,21 +3428,25 @@ const message = {
         dockerHelper:
             'Mevcut güvenlik duvarı konteyner port eşlemesini devre dışı bırakamaz. Yüklü uygulamalar, uygulama parametrelerini düzenlemek ve port serbest bırakma kurallarını yapılandırmak için [Yüklü] sayfasına gidebilir.',
         portSecurity: 'Port Güvenlik Taraması',
-        portSecurityAllSafe: 'Tüm dinlenen portlar korunuyor',
+        portSecurityAllSafe: 'Bu taramada sorun bulunamadı',
+        portSecurityScanLimit:
+            'Tarama kapsamı: ana makine dinleyicileri ve Docker varsayılan bridge ağı. macvlan / ipvlan / overlay / Swarm ingress ve dış NAT/yük dengeleyici yolları değerlendirilmez.',
+        portSecurityScanFailed: 'Port güvenlik taraması başarısız oldu. Lütfen yenileyip tekrar deneyin.',
         dockerBypass: 'Docker Atlatma',
-        dockerBypassTip: 'Bu port, Docker konteyner eşlemesi aracılığıyla açığa çıkmıştır ve güvenlik duvarı INPUT zinciri kurallarını atlatmaktadır. Port kuralı eklemek dış erişimi engelleyemez.',
-        dockerBypassSuggest: 'docker-compose.yml dosyasında port eşlemesini 127.0.0.1:{0}:{0} olarak değiştirip konteyneri yeniden başlatmanız önerilir.',
-        dockerBypassHasRule: 'Güvenlik duvarı kuralı mevcut ({0} {1}/{2}), ancak etkili değil.',
-        noRule: 'Kural Yok',
-        localOnly: 'Yalnızca Yerel',
-        protected: 'Korumalı',
-        firewallInactive: 'Güvenlik Duvarı Devre Dışı',
+        dockerBypassTip: 'Bu port Docker tarafından doğrudan yayımlanır, bu nedenle ana makinedeki güvenlik duvarı kuralları geçerli olmaz. Erişimi kısıtlamak için konteyneri 127.0.0.1 veya belirli bir arayüze bağlayın.',
+        dockerBypassSuggest: 'Port eşlemesini 127.0.0.1:{0}:{0} olarak değiştirin (tüm arayüzlere bağlamak yerine) ve konteyneri yeniden başlatın.',
+        dockerBypassHasRule: 'Bu port için bir güvenlik duvarı kuralı ({0} {1}/{2}) mevcut, ancak Docker tarafından yayımlanan portlara uygulanmaz.',
+        noRule: 'Eşleşen kural yok',
+        localOnly: 'Yalnızca yerel',
+        protected: 'Kural izin veriyor',
+        blocked: 'Kural engelliyor',
+        firewallInactive: 'Güvenlik duvarı çalışmıyor',
         goToApp: 'Uygulama Ayarlarına Git',
         dockerBypassDetail: 'Nasıl düzeltilir',
         createRuleQuick: 'Kural Oluştur',
-        portSecurityRiskLabel: 'risk',
-        portSecurityPendingLabel: 'beklemede',
-        portSecuritySafeLabel: 'güvenli',
+        portSecurityRiskLabel: 'düzeltilmesi gerekir',
+        portSecurityPendingLabel: 'gözden geçirilecek',
+        portSecuritySafeLabel: 'normal',
         portSecuritySource: 'İşlem / Konteyner',
         portSecurityBindAddr: 'Bağlama Adresi',
         dockerLabel: 'Konteyner',
diff --git a/frontend/src/lang/modules/zh-Hant.ts b/frontend/src/lang/modules/zh-Hant.ts
index 67ca47be6aef..7dc0d4f34653 100644
--- a/frontend/src/lang/modules/zh-Hant.ts
+++ b/frontend/src/lang/modules/zh-Hant.ts
@@ -3113,21 +3113,24 @@ const message = {
         cookieBlockList: 'Cookie 黑名單',
         dockerHelper: '目前防火牆無法停用容器埠映射，已安裝應用可前往【已安裝】頁面編輯應用參數，設定埠放行規則。',
         portSecurity: '連接埠安全檢測',
-        portSecurityAllSafe: '所有監聽連接埠已受保護',
+        portSecurityAllSafe: '本次掃描未發現問題',
+        portSecurityScanLimit: '檢測範圍：宿主機監聽連接埠與 Docker 預設 bridge 網路。macvlan / ipvlan / overlay / Swarm ingress 以及外部 NAT、負載均衡路徑不在評估範圍。',
+        portSecurityScanFailed: '連接埠安全檢測失敗，請刷新重試。',
         dockerBypass: 'Docker 繞過',
-        dockerBypassTip: '此連接埠透過 Docker 容器映射，繞過防火牆 INPUT 規則。新增連接埠規則無法阻止外部存取。',
-        dockerBypassSuggest: '建議在 docker-compose.yml 中將連接埠映射改為 127.0.0.1:{0}:{0}，然後重啟容器。',
-        dockerBypassHasRule: '已有防火牆規則（{0} {1}/{2}），但該規則實際不生效。',
-        noRule: '未配置規則',
+        dockerBypassTip: '此連接埠由 Docker 直接發布，宿主機上的防火牆規則對它無效。如需限制存取，請將容器綁定到 127.0.0.1 或指定網卡。',
+        dockerBypassSuggest: '將連接埠映射改為 127.0.0.1:{0}:{0}（而非綁定所有網卡），然後重啟容器。',
+        dockerBypassHasRule: '此連接埠存在防火牆規則（{0} {1}/{2}），但該規則對 Docker 發布的連接埠不生效。',
+        noRule: '無匹配規則',
         localOnly: '僅本機',
-        protected: '已保護',
+        protected: '規則放行',
+        blocked: '規則攔截',
         firewallInactive: '防火牆未啟用',
         goToApp: '前往容器設定',
         dockerBypassDetail: '如何修復',
         createRuleQuick: '建立規則',
-        portSecurityRiskLabel: '個風險',
-        portSecurityPendingLabel: '個待處理',
-        portSecuritySafeLabel: '個已安全',
+        portSecurityRiskLabel: '個需修復',
+        portSecurityPendingLabel: '個待複核',
+        portSecuritySafeLabel: '個正常',
         portSecuritySource: '處理程序 / 容器',
         portSecurityBindAddr: '綁定位址',
         dockerLabel: '容器',
diff --git a/frontend/src/lang/modules/zh.ts b/frontend/src/lang/modules/zh.ts
index fa20e32f22f7..ed69b0768ac6 100644
--- a/frontend/src/lang/modules/zh.ts
+++ b/frontend/src/lang/modules/zh.ts
@@ -3113,21 +3113,24 @@ const message = {
 
         dockerHelper: '当前防火墙无法禁用容器端口映射，已安装应用可前往【已安装】页面编辑应用参数，配置端口放行规则。',
         portSecurity: '端口安全检测',
-        portSecurityAllSafe: '所有监听端口已保护',
+        portSecurityAllSafe: '本次扫描未发现问题',
+        portSecurityScanLimit: '检测范围：宿主机监听端口与 Docker 默认 bridge 网络。macvlan / ipvlan / overlay / Swarm ingress 以及外部 NAT、负载均衡路径不在评估范围。',
+        portSecurityScanFailed: '端口安全检测失败，请刷新重试。',
         dockerBypass: 'Docker 绕过',
-        dockerBypassTip: '此端口通过 Docker 容器映射，绕过防火墙 INPUT 规则。添加端口规则无法阻止外部访问。',
-        dockerBypassSuggest: '建议在 docker-compose.yml 中将端口映射改为 127.0.0.1:{0}:{0}，然后重启容器。',
-        dockerBypassHasRule: '已有防火墙规则（{0} {1}/{2}），但该规则实际不生效。',
-        noRule: '未配规则',
+        dockerBypassTip: '该端口由 Docker 直接发布，宿主机上的防火墙规则对它无效。如需限制访问，请将容器绑定到 127.0.0.1 或指定网卡。',
+        dockerBypassSuggest: '将端口映射改为 127.0.0.1:{0}:{0}（而非绑定所有网卡），然后重启容器。',
+        dockerBypassHasRule: '该端口存在防火墙规则（{0} {1}/{2}），但该规则对 Docker 发布的端口不生效。',
+        noRule: '无匹配规则',
         localOnly: '仅本机',
-        protected: '已保护',
+        protected: '规则放行',
+        blocked: '规则拦截',
         firewallInactive: '防火墙未启用',
         goToApp: '前往容器设置',
         dockerBypassDetail: '如何修复',
         createRuleQuick: '创建规则',
-        portSecurityRiskLabel: '个风险',
-        portSecurityPendingLabel: '个待处理',
-        portSecuritySafeLabel: '个已安全',
+        portSecurityRiskLabel: '个需修复',
+        portSecurityPendingLabel: '个待复核',
+        portSecuritySafeLabel: '个正常',
         portSecuritySource: '进程 / 容器',
         portSecurityBindAddr: '绑定地址',
         dockerLabel: '容器',
diff --git a/frontend/src/views/host/firewall/port/awareness/index.vue b/frontend/src/views/host/firewall/port/awareness/index.vue
index a6fc34a3f8a3..55cd7d1d0dcb 100644
--- a/frontend/src/views/host/firewall/port/awareness/index.vue
+++ b/frontend/src/views/host/firewall/port/awareness/index.vue
@@ -3,10 +3,20 @@
         <template #leftToolBar>
             <span style="font-weight: 500; font-size: 14px;">{{ $t('firewall.portSecurity') }}</span>
             <template v-if="!loading && overview">
-                <el-tag v-if="overview.summary.dockerBypassed > 0" type="danger">
+                <el-tag
+                    v-if="overview.summary.dockerBypassed > 0"
+                    type="danger"
+                    class="summary-chip"
+                    @click="onChipFilter('dockerBypass')"
+                >
                     {{ overview.summary.dockerBypassed }} {{ $t('firewall.portSecurityRiskLabel') }}
                 </el-tag>
-                <el-tag v-if="overview.summary.unprotected > 0" type="warning">
+                <el-tag
+                    v-if="overview.summary.unprotected > 0"
+                    type="warning"
+                    class="summary-chip"
+                    @click="onChipFilter(overview.fireActive ? 'noRule' : 'firewallInactive')"
+                >
                     {{ overview.summary.unprotected }} {{ $t('firewall.portSecurityPendingLabel') }}
                 </el-tag>
                 <el-tag type="success">
@@ -20,8 +30,10 @@
                 <template #prefix>{{ $t('commons.table.status') }}</template>
                 <el-option :label="$t('commons.table.all')" value=""></el-option>
                 <el-option :label="$t('firewall.dockerBypass')" value="dockerBypass"></el-option>
+                <el-option :label="$t('firewall.firewallInactive')" value="firewallInactive"></el-option>
                 <el-option :label="$t('firewall.noRule')" value="noRule"></el-option>
                 <el-option :label="$t('firewall.protected')" value="protected"></el-option>
+                <el-option :label="$t('firewall.blocked')" value="blocked"></el-option>
                 <el-option :label="$t('firewall.localOnly')" value="localOnly"></el-option>
             </el-select>
             <TableSearch @search="search()" v-model:searchName="searchName" />
@@ -29,9 +41,21 @@
             <TableSetting title="firewall-port-security-refresh" @search="search()" />
         </template>
         <template #main>
-            <div v-if="allData.length === 0 && !loading && !hasError && !searchName && !searchStatus" class="all-safe">
+            <el-alert
+                v-if="hasError && !loading"
+                :title="$t('firewall.portSecurityScanFailed')"
+                type="warning"
+                show-icon
+                :closable="false"
+                style="margin-bottom: 12px;"
+            />
+            <div
+                v-else-if="allData.length === 0 && !loading && !searchName && !searchStatus"
+                class="scan-clear"
+            >
                 <el-icon color="var(--el-color-success)"><CircleCheckFilled /></el-icon>
                 <span>{{ $t('firewall.portSecurityAllSafe') }}</span>
+                <span class="scan-clear__note">{{ $t('firewall.portSecurityScanLimit') }}</span>
             </div>
             <ComplexTable
                 v-else
@@ -43,42 +67,42 @@
                 <el-table-column :label="$t('commons.table.protocol')" :min-width="70" prop="protocol" />
                 <el-table-column :label="$t('firewall.portSecuritySource')" :min-width="120">
                     <template #default="{ row }">
-                        <span>{{ row.containerName || row.processName || '-' }}</span>
-                        <el-tag
-                            v-if="row.sourceType === 'docker' || row.sourceType === 'appStore'"
-                            class="source-tag--container"
-                            effect="plain"
-                            style="margin-left: 4px;"
-                        >
-                            <svg-icon iconName="p-docker" style="width: 12px; height: 12px; margin-right: 2px; vertical-align: middle;" />
-                            {{ $t('firewall.dockerLabel') }}
-                        </el-tag>
-                        <el-tag v-if="row.appName" type="info" effect="plain" style="margin-left: 4px;">
-                            {{ row.appName }}
-                        </el-tag>
+                        <div class="cell-inline">
+                            <span>{{ row.containerName || row.processName || '-' }}</span>
+                            <el-tag
+                                v-if="row.sourceType === 'docker' || row.sourceType === 'appStore'"
+                                class="source-tag--container"
+                                effect="plain"
+                            >
+                                <svg-icon iconName="p-docker" style="width: 12px; height: 12px; margin-right: 2px; vertical-align: middle;" />
+                                {{ $t('firewall.dockerLabel') }}
+                            </el-tag>
+                        </div>
                     </template>
                 </el-table-column>
                 <el-table-column :label="$t('firewall.portSecurityBindAddr')" :min-width="80" prop="bindAddress" show-overflow-tooltip />
                 <el-table-column :label="$t('commons.table.status')" :min-width="120">
                     <template #default="{ row }">
-                        <el-tag :type="statusTagType(row.status)">
-                            {{ $t('firewall.' + row.status) }}
-                        </el-tag>
-                        <el-tooltip
-                            v-if="row.status === 'dockerBypass' && row.hasRule"
-                            :content="$t('firewall.dockerBypassHasRule', [row.ruleStrategy, row.port, row.protocol])"
-                            placement="top"
-                        >
-                            <el-icon color="var(--el-color-warning)" style="margin-left: 4px; cursor: pointer;">
-                                <WarningFilled />
-                            </el-icon>
-                        </el-tooltip>
+                        <div class="cell-inline">
+                            <el-tag :type="statusTagType(row.status)">
+                                {{ $t('firewall.' + row.status) }}
+                            </el-tag>
+                            <el-tooltip
+                                v-if="row.status === 'dockerBypass' && row.hasRule"
+                                :content="$t('firewall.dockerBypassHasRule', [row.ruleStrategy, row.port, row.protocol])"
+                                placement="top"
+                            >
+                                <el-icon color="var(--el-color-warning)" style="cursor: pointer;">
+                                    <WarningFilled />
+                                </el-icon>
+                            </el-tooltip>
+                        </div>
                     </template>
                 </el-table-column>
-                <el-table-column :label="$t('commons.table.operate')" width="200px" fixed="right">
+                <el-table-column :label="$t('commons.table.operate')" width="200px" fixed="right" align="center" header-align="center">
                     <template #default="{ row }">
                         <el-button
-                            v-if="row.status === 'noRule' || row.status === 'firewallInactive'"
+                            v-if="row.status === 'noRule'"
                             link
                             type="primary"
                             @click="onCreateRule(row)"
@@ -154,6 +178,7 @@ const statusTagType = (status: string) => {
             return 'warning';
         case 'protected':
             return 'success';
+        case 'blocked':
         case 'localOnly':
             return 'info';
         default:
@@ -161,6 +186,16 @@ const statusTagType = (status: string) => {
     }
 };
 
+const onChipFilter = (status: string) => {
+    if (searchStatus.value === status) {
+        // toggle off when clicking the active chip
+        searchStatus.value = '';
+    } else {
+        searchStatus.value = status;
+    }
+    search();
+};
+
 const search = async () => {
     if (loading.value) return;
     loading.value = true;
@@ -197,15 +232,42 @@ onMounted(() => {
 </script>
 
 <style scoped lang="scss">
-.all-safe {
+.scan-clear {
     display: flex;
     align-items: center;
+    flex-wrap: wrap;
     gap: 6px;
     padding: 16px 0;
-    color: var(--el-color-success);
+    color: var(--el-text-color-regular);
     font-size: 14px;
 }
 
+.scan-clear__note {
+    color: var(--el-text-color-secondary);
+    font-size: 12px;
+    margin-left: 8px;
+}
+
+.summary-chip {
+    cursor: pointer;
+    transition: filter 0.15s ease-in-out, transform 0.05s ease-in-out;
+
+    &:hover {
+        filter: brightness(0.95);
+    }
+
+    &:active {
+        transform: translateY(1px);
+    }
+}
+
+.cell-inline {
+    display: inline-flex;
+    align-items: center;
+    gap: 6px;
+    vertical-align: middle;
+}
+
 .source-tag--container {
     --el-tag-bg-color: var(--el-color-primary-light-9);
     --el-tag-border-color: var(--el-color-primary-light-7);
diff --git a/frontend/src/views/host/firewall/port/index.vue b/frontend/src/views/host/firewall/port/index.vue
index 83e2bb07c4de..c540a568f54a 100644
--- a/frontend/src/views/host/firewall/port/index.vue
+++ b/frontend/src/views/host/firewall/port/index.vue
@@ -14,7 +14,7 @@
                 current-tab="base"
             />
             <div v-if="fireName !== '-'">
-                <el-card v-if="!isActive && maskShow" class="mask-prompt">
+                <el-card v-if="!isActive && maskShow && !isBind" class="mask-prompt">
                     <span>{{ $t('firewall.firewallNotStart') }}</span>
                 </el-card>
                 <el-card v-if="!isBind && maskShow" class="mask-prompt">
@@ -22,7 +22,7 @@
                 </el-card>
 
                 <PortAwareness
-                    v-if="isActive && isBind"
+                    v-if="isBind"
                     style="margin-top: 7px; margin-bottom: 7px;"
                     @create-rule="onCreateRuleFromAwareness"
                 />

From ec57571b689e719e1b0fa133d3dc2563e60181ba Mon Sep 17 00:00:00 2001
From: Teng Zhang <zhangt2333@gmail.com>
Date: Tue, 12 May 2026 10:19:43 +0800
Subject: [PATCH 3/3] feat: add unit tests

---
 agent/app/dto/firewall.go                     |   1 +
 agent/app/service/firewall_port_security.go   |  24 ++-
 .../service/firewall_port_security_test.go    | 174 ++++++++++++++++++
 frontend/src/api/interface/host.ts            |   1 +
 .../host/firewall/port/awareness/index.vue    |  15 +-
 5 files changed, 209 insertions(+), 6 deletions(-)
 create mode 100644 agent/app/service/firewall_port_security_test.go

diff --git a/agent/app/dto/firewall.go b/agent/app/dto/firewall.go
index 363a4abb46e5..ed54c59bcac7 100644
--- a/agent/app/dto/firewall.go
+++ b/agent/app/dto/firewall.go
@@ -144,4 +144,5 @@ type PortSecurityItem struct {
 	Status        string `json:"status"`
 	HasRule       bool   `json:"hasRule"`
 	RuleStrategy  string `json:"ruleStrategy"`
+	RuleAddress   string `json:"ruleAddress"`
 }
diff --git a/agent/app/service/firewall_port_security.go b/agent/app/service/firewall_port_security.go
index 4d6586b30e90..206e652e029c 100644
--- a/agent/app/service/firewall_port_security.go
+++ b/agent/app/service/firewall_port_security.go
@@ -34,6 +34,7 @@ type firewallRuleEntry struct {
 	strategy string
 	portStr  string
 	protocol string
+	address  string
 }
 
 // GetPortSecurityOverview scans all listening ports and cross-references them with
@@ -152,9 +153,10 @@ func (u *FirewallService) GetPortSecurityOverview(req dto.PortSecuritySearch) (*
 			item.AppName = "1panel"
 		}
 
-		ruleStrategy, hasRule := matchFirewallRule(ruleIndex, conn.Laddr.Port, proto)
+		ruleStrategy, hasRule, ruleAddress := matchFirewallRule(ruleIndex, conn.Laddr.Port, proto)
 		item.HasRule = hasRule
 		item.RuleStrategy = ruleStrategy
+		item.RuleAddress = ruleAddress
 
 		items = append(items, item)
 	}
@@ -182,9 +184,10 @@ func (u *FirewallService) GetPortSecurityOverview(req dto.PortSecuritySearch) (*
 			item.AppName = appName
 			item.SourceType = "appStore"
 		}
-		ruleStrategy, hasRule := matchFirewallRule(ruleIndex, key.port, key.protocol)
+		ruleStrategy, hasRule, ruleAddress := matchFirewallRule(ruleIndex, key.port, key.protocol)
 		item.HasRule = hasRule
 		item.RuleStrategy = ruleStrategy
+		item.RuleAddress = ruleAddress
 		seenIndex[key] = len(items)
 		items = append(items, item)
 	}
@@ -288,6 +291,7 @@ func buildFirewallRuleIndex(rules []fireClient.FireInfo, err error) []firewallRu
 			strategy: r.Strategy,
 			portStr:  r.Port,
 			protocol: r.Protocol,
+			address:  r.Address,
 		})
 	}
 	return entries
@@ -325,9 +329,10 @@ func buildAppPortMaps(ctx context.Context) (map[uint32]string, uint32) {
 // the port is reported as denied. It also keeps the result deterministic regardless of
 // the underlying backend's listing order (firewalld lists --list-ports accepts before
 // rich-rule drops, iptables lists by line number, ufw by rule index).
-func matchFirewallRule(rules []firewallRuleEntry, port uint32, proto string) (string, bool) {
+func matchFirewallRule(rules []firewallRuleEntry, port uint32, proto string) (string, bool, string) {
 	portStr := strconv.FormatUint(uint64(port), 10)
 	acceptStrategy := ""
+	acceptAddress := ""
 	foundAccept := false
 	for _, r := range rules {
 		if r.protocol != "" && r.protocol != "tcp/udp" && r.protocol != proto {
@@ -337,20 +342,29 @@ func matchFirewallRule(rules []firewallRuleEntry, port uint32, proto string) (st
 			continue
 		}
 		if r.strategy == "drop" || r.strategy == "reject" {
-			return r.strategy, true
+			return r.strategy, true, r.address
 		}
 		if !foundAccept {
 			acceptStrategy = r.strategy
+			acceptAddress = r.address
 			foundAccept = true
 		}
 	}
-	return acceptStrategy, foundAccept
+	return acceptStrategy, foundAccept, acceptAddress
 }
 
 func portMatchesRule(portStr string, portNum uint32, rulePort string) bool {
 	if rulePort == portStr {
 		return true
 	}
+	if strings.Contains(rulePort, ",") {
+		for _, p := range strings.Split(rulePort, ",") {
+			if strings.TrimSpace(p) == portStr {
+				return true
+			}
+		}
+		return false
+	}
 	sep := ""
 	if strings.Contains(rulePort, "-") {
 		sep = "-"
diff --git a/agent/app/service/firewall_port_security_test.go b/agent/app/service/firewall_port_security_test.go
new file mode 100644
index 000000000000..114caa517d0f
--- /dev/null
+++ b/agent/app/service/firewall_port_security_test.go
@@ -0,0 +1,174 @@
+package service
+
+import (
+	"testing"
+)
+
+func TestPortMatchesRule(t *testing.T) {
+	tests := []struct {
+		name    string
+		portStr string
+		portNum uint32
+		rule    string
+		want    bool
+	}{
+		{"exact match", "80", 80, "80", true},
+		{"no match", "80", 80, "443", false},
+		{"dash range match", "8080", 8080, "8000-9000", true},
+		{"dash range lower bound", "8000", 8000, "8000-9000", true},
+		{"dash range upper bound", "9000", 9000, "8000-9000", true},
+		{"dash range miss below", "7999", 7999, "8000-9000", false},
+		{"dash range miss above", "9001", 9001, "8000-9000", false},
+		{"colon range match", "8500", 8500, "8000:9000", true},
+		{"colon range miss", "7999", 7999, "8000:9000", false},
+		{"comma list first", "80", 80, "80,443,8080", true},
+		{"comma list middle", "443", 443, "80,443,8080", true},
+		{"comma list last", "8080", 8080, "80,443,8080", true},
+		{"comma list miss", "22", 22, "80,443,8080", false},
+		{"comma with spaces", "443", 443, "80, 443, 8080", true},
+		{"empty rule", "80", 80, "", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := portMatchesRule(tt.portStr, tt.portNum, tt.rule)
+			if got != tt.want {
+				t.Errorf("portMatchesRule(%q, %d, %q) = %v, want %v", tt.portStr, tt.portNum, tt.rule, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestMatchFirewallRule(t *testing.T) {
+	rules := []firewallRuleEntry{
+		{strategy: "accept", portStr: "22", protocol: "tcp", address: ""},
+		{strategy: "accept", portStr: "3306", protocol: "tcp", address: "10.0.0.0/8"},
+		{strategy: "drop", portStr: "3306", protocol: "tcp", address: "1.2.3.4"},
+		{strategy: "accept", portStr: "8000-9000", protocol: "tcp", address: ""},
+		{strategy: "accept", portStr: "53", protocol: "tcp", address: ""},
+		{strategy: "accept", portStr: "123", protocol: "tcp/udp", address: ""},
+		{strategy: "accept", portStr: "80,443", protocol: "tcp", address: ""},
+	}
+
+	tests := []struct {
+		name         string
+		port         uint32
+		proto        string
+		wantStrategy string
+		wantFound    bool
+		wantAddress  string
+	}{
+		{"exact match tcp/22", 22, "tcp", "accept", true, ""},
+		{"no match udp/22", 22, "udp", "", false, ""},
+		{"drop wins over accept for 3306", 3306, "tcp", "drop", true, "1.2.3.4"},
+		{"range match 8500", 8500, "tcp", "accept", true, ""},
+		{"protocol mismatch udp/8500", 8500, "udp", "", false, ""},
+		{"source-scoped accept 3306 returns address", 3306, "tcp", "drop", true, "1.2.3.4"},
+		{"no match port 9999", 9999, "tcp", "", false, ""},
+		{"comma list match 443", 443, "tcp", "accept", true, ""},
+		{"comma list match 80", 80, "tcp", "accept", true, ""},
+		{"tcp/udp protocol matches tcp", 123, "tcp", "accept", true, ""},
+		{"tcp/udp protocol matches udp", 123, "udp", "accept", true, ""},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			strategy, found, address := matchFirewallRule(rules, tt.port, tt.proto)
+			if strategy != tt.wantStrategy || found != tt.wantFound || address != tt.wantAddress {
+				t.Errorf("matchFirewallRule(port=%d, proto=%s) = (%q, %v, %q), want (%q, %v, %q)",
+					tt.port, tt.proto, strategy, found, address, tt.wantStrategy, tt.wantFound, tt.wantAddress)
+			}
+		})
+	}
+}
+
+func TestDetermineStatus(t *testing.T) {
+	tests := []struct {
+		name           string
+		bindAddr       string
+		sourceType     string
+		firewallActive bool
+		hasRule        bool
+		ruleStrategy   string
+		want           string
+	}{
+		{"loopback ipv4", "127.0.0.1", "host", true, false, "", "localOnly"},
+		{"loopback ipv4 alt", "127.0.0.53", "host", true, false, "", "localOnly"},
+		{"loopback ipv6", "::1", "host", true, false, "", "localOnly"},
+		{"link-local ipv6", "fe80::1", "host", true, false, "", "localOnly"},
+		{"wildcard ipv4", "0.0.0.0", "host", true, false, "", "noRule"},
+		{"wildcard ipv6", "::", "host", true, false, "", "noRule"},
+		{"empty addr", "", "host", true, false, "", "noRule"},
+		{"public ip host", "114.212.85.247", "host", true, false, "", "noRule"},
+		{"bridge gateway host", "172.17.0.1", "host", true, false, "", "noRule"},
+		{"docker wildcard", "0.0.0.0", "docker", true, false, "", "dockerBypass"},
+		{"docker loopback", "127.0.0.1", "docker", true, false, "", "localOnly"},
+		{"docker specific ip", "172.17.0.1", "docker", true, false, "", "dockerBypass"},
+		{"appStore wildcard", "0.0.0.0", "appStore", true, false, "", "dockerBypass"},
+		{"firewall inactive host", "0.0.0.0", "host", false, false, "", "firewallInactive"},
+		{"firewall inactive docker", "0.0.0.0", "docker", false, false, "", "dockerBypass"},
+		{"accept rule", "0.0.0.0", "host", true, true, "accept", "protected"},
+		{"drop rule", "0.0.0.0", "host", true, true, "drop", "blocked"},
+		{"reject rule", "0.0.0.0", "host", true, true, "reject", "blocked"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := determineStatus(tt.bindAddr, tt.sourceType, tt.firewallActive, tt.hasRule, tt.ruleStrategy)
+			if got != tt.want {
+				t.Errorf("determineStatus(%q, %q, active=%v, rule=%v, %q) = %q, want %q",
+					tt.bindAddr, tt.sourceType, tt.firewallActive, tt.hasRule, tt.ruleStrategy, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestIsLoopbackOrLinkLocal(t *testing.T) {
+	tests := []struct {
+		addr string
+		want bool
+	}{
+		{"127.0.0.1", true},
+		{"127.0.0.53", true},
+		{"127.0.0.54", true},
+		{"::1", true},
+		{"fe80::1", true},
+		{"fe80::be24:11ff:fe31:1da9", true},
+		{"0.0.0.0", false},
+		{"::", false},
+		{"", false},
+		{"114.212.85.247", false},
+		{"172.17.0.1", false},
+		{"10.0.0.1", false},
+		{"192.168.1.1", false},
+		{"2001:db8::1", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.addr, func(t *testing.T) {
+			got := isLoopbackOrLinkLocal(tt.addr)
+			if got != tt.want {
+				t.Errorf("isLoopbackOrLinkLocal(%q) = %v, want %v", tt.addr, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestIsWildcardAddress(t *testing.T) {
+	tests := []struct {
+		addr string
+		want bool
+	}{
+		{"0.0.0.0", true},
+		{"::", true},
+		{"", true},
+		{"127.0.0.1", false},
+		{"172.17.0.1", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.addr, func(t *testing.T) {
+			got := isWildcardAddress(tt.addr)
+			if got != tt.want {
+				t.Errorf("isWildcardAddress(%q) = %v, want %v", tt.addr, got, tt.want)
+			}
+		})
+	}
+}
diff --git a/frontend/src/api/interface/host.ts b/frontend/src/api/interface/host.ts
index f37118104055..70c790897f24 100644
--- a/frontend/src/api/interface/host.ts
+++ b/frontend/src/api/interface/host.ts
@@ -156,6 +156,7 @@ export namespace Host {
         status: string;
         hasRule: boolean;
         ruleStrategy: string;
+        ruleAddress: string;
     }
     export interface PortSecuritySummary {
         total: number;
diff --git a/frontend/src/views/host/firewall/port/awareness/index.vue b/frontend/src/views/host/firewall/port/awareness/index.vue
index 55cd7d1d0dcb..d078dce3ecca 100644
--- a/frontend/src/views/host/firewall/port/awareness/index.vue
+++ b/frontend/src/views/host/firewall/port/awareness/index.vue
@@ -84,7 +84,16 @@
                 <el-table-column :label="$t('commons.table.status')" :min-width="120">
                     <template #default="{ row }">
                         <div class="cell-inline">
-                            <el-tag :type="statusTagType(row.status)">
+                            <el-tooltip
+                                v-if="row.hasRule && hasSourceScope(row.ruleAddress)"
+                                :content="`${row.ruleStrategy} ${row.port}/${row.protocol} from ${row.ruleAddress}`"
+                                placement="top"
+                            >
+                                <el-tag :type="statusTagType(row.status)">
+                                    {{ $t('firewall.' + row.status) }}
+                                </el-tag>
+                            </el-tooltip>
+                            <el-tag v-else :type="statusTagType(row.status)">
                                 {{ $t('firewall.' + row.status) }}
                             </el-tag>
                             <el-tooltip
@@ -186,6 +195,10 @@ const statusTagType = (status: string) => {
     }
 };
 
+const hasSourceScope = (addr: string) => {
+    return !!addr && addr !== 'Anywhere' && addr !== '0.0.0.0/0' && addr !== '::/0';
+};
+
 const onChipFilter = (status: string) => {
     if (searchStatus.value === status) {
         // toggle off when clicking the active chip