Update ports section in services.md (#22368)

Explicitly state the dangers if a port mapping binds to all interfaces

## Description

<!-- Tell us what you did and why -->

We recently discovered that docker was bypassing our firewall rules when
forwarding ports from a container using the standard `<host
port>:<container port>` syntax. What this meant was that the container
was effectively visible to the entire internet. It was only after some
digging did we discover that it is possible and even recommended to
explicitly bind the host port to localhost so it doesn't accept
connections from everywhere. This PR updates the docs to explicitly
state the potential dangers of not specifying a localhost when exposing
docker container ports.

## Reviews

- [ ] Technical review
- [ ] Editorial review
- [ ] Product review

---------

Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>

Author: chubi-x

content/reference/compose-file/services.md

@@ -1651,6 +1651,10 @@ in the form:
 - `CONTAINER` is `port | range`.
 - `PROTOCOL` restricts ports to a specified protocol either `tcp` or `udp`(optional). Default is `tcp`.
 
+> [!WARNING]
+>
+> If you do not specify a host IP (such as `127.0.0.1`), Docker binds to all interfaces (`0.0.0.0`), bypassing host firewall rules. This can expose the container directly to the internet if the host has a public IP address. For more information, see [Port publishing and mapping](/manuals/engine/network/port-publishing.md).
+
 Ports can be either a single value or a range. `HOST` and `CONTAINER` must use equivalent ranges.
 
 You can either specify both ports (`HOST:CONTAINER`), or just the container port. In the latter case,
@@ -1659,6 +1663,8 @@ the container runtime automatically allocates any unassigned port of the host.
 `HOST:CONTAINER` should always be specified as a (quoted) string, to avoid conflicts
 with [YAML base-60 float](https://yaml.org/type/float.html).
 
+
+
 IPv6 addresses can be enclosed in square brackets.
 
 Examples: