diff --git a/manual/deploy_pro/download_and_setup_seafile_professional_server.md b/manual/deploy_pro/download_and_setup_seafile_professional_server.md
index 6e953217..85d60223 100644
--- a/manual/deploy_pro/download_and_setup_seafile_professional_server.md
+++ b/manual/deploy_pro/download_and_setup_seafile_professional_server.md
@@ -471,6 +471,14 @@ sudo docker run -d \
 -d elasticsearch:7.16.2
 ```
 
+**Note**: By default, Elasticsearch will only listen on `127.0.0.1`, but this rule may **become invalid** after Docker exposes the service port,  ***which will make your Elasticsearch service vulnerable to attackers accessing and extracting sensitive data due to exposure to the external network***. We recommend that you manually configure the Docker firewall, such as
+
+```sh
+sudo iptables -A INPUT -p tcp -s <your seafile server ip> --dport 9200 -j ACCEPT
+sudo iptables -A INPUT -p tcp --dport 9200 -j DROP
+```
+
+The above command will only allow the host where your Seafile service is located to connect to Elasticsearch, and other addresses will be blocked. If you deploy Elasticsearch based on binary packages, you need to refer to the [official document](https://www.elastic.co/guide/en/elasticsearch/reference/7.17/important-settings.html#network.host) to set the address that Elasticsearch binds to.
 
 ### Modifying seafevents