docs: clarify compose port edits for Docker nodes

Author: cursoragent

src/content/docs/network/nodes/validator-node/deploy-nodes/using-docker.mdx

@@ -159,6 +159,8 @@ and VFN will be deployed on separate machines.
   containers. In Docker deployments, a host firewall rule alone may not block a port that is still published by
   Compose. Publish only the ports each node role needs, keep REST/admin/inspection ports private unless explicitly
   required, and verify from a machine outside your host or VPC that ports meant to stay closed are not reachable.
+  If a Compose file publishes `8080:8080` (or similar for `9101` / `9102`) and you do not want external access, either
+  remove that entry or bind it to a trusted interface, e.g., `127.0.0.1:8080:8080`.
 </Aside>
 
 7. To start the validator node, run the following command in your working directory:

src/content/docs/zh/network/nodes/validator-node/deploy-nodes/using-docker.mdx

@@ -139,7 +139,7 @@ import { Aside } from '@astrojs/starlight/components';
 
 <Aside type="caution">
   **Docker 网络与已发布端口**<br />
-  在启动容器之前,请检查 `docker-compose.yaml` 和 `docker-compose-fullnode.yaml` 中的 `ports:` 配置.在 Docker 部署中,如果端口仍由 Compose 发布,仅靠主机防火墙规则可能不足以阻止访问.只发布每种节点角色确实需要的端口,除非您明确需要,否则应保持 REST API / 管理 / 检查服务端口为私有,并从主机或 VPC 外部的机器验证本应关闭的端口确实无法访问.
+  在启动容器之前,请检查 `docker-compose.yaml` 和 `docker-compose-fullnode.yaml` 中的 `ports:` 配置.在 Docker 部署中,如果端口仍由 Compose 发布,仅靠主机防火墙规则可能不足以阻止访问.只发布每种节点角色确实需要的端口,除非您明确需要,否则应保持 REST API / 管理 / 检查服务端口为私有,并从主机或 VPC 外部的机器验证本应关闭的端口确实无法访问.如果 Compose 文件里发布了 `8080:8080`(或 `9101` / `9102` 的类似映射),而您又不希望外部访问,请删除该条目,或者将其绑定到受信任的接口,例如 `127.0.0.1:8080:8080`.
 </Aside>
 
 7. 要启动验证器节点,在您的工作目录中运行以下命令: