diff --git a/Dockerfile b/Dockerfile
index bffafe0c665..405af066062 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -51,11 +51,13 @@ COPY --from=0 /etc/ssl/certs /etc/ssl/certs
 # This shared lib (part of glibc) doesn't seem to be included with busybox.
 COPY --from=0 /lib/x86_64-linux-gnu/libdl-2.24.so /lib/libdl.so.2
 
-# Ports for Swarm TCP, Swarm uTP, API, Gateway, Swarm Websockets
+# Swarm TCP; should be exposed to the public
 EXPOSE 4001
-EXPOSE 4002/udp
+# Daemon API; must not be exposed publicly but to client services under you control
 EXPOSE 5001
+# Web Gateway; can be exposed publicly with a proxy, e.g. as https://ipfs.example.org
 EXPOSE 8080
+# Swarm Websockets; must be exposed publicly when the node is listening using the websocket transport (/ipX/.../tcp/8081/ws).
 EXPOSE 8081
 
 # Create the fs-repo directory and switch to a non-privileged user.