How does Docker work with a firewall?
Firewalld only processes the first matching zone for any connections. It also processes zones based on IP address before zones based on interfaces. As long as any of your zones happens to include the IP addresses docker is using, the ACCEPT rule in the trusted zone will never get processed.
Is there a way to simply allow everything in a docker container?
Is there a way to simply allow everything in a docker container (I guess on the docker0 adapter) unrestricted access to the host? Theses commands did the trick: One reason the accepted solution works for some people but not for others lies in a design issue of firewalld. Firewalld only processes the first matching zone for any connections.
Can a trusted zone be used for Docker?
As long as any of your zones happens to include the IP addresses docker is using, the ACCEPT rule in the trusted zone will never get processed. To verify this, you can look at the generated iptables rules unless you are using the nbt backend: The solution is to use a firewalld direct rule instead of the trusted zone.
Can you specify your own network in Docker?
You can also specify your own network in docker. This post describes the process: https://serverfault.com/questions/885470/how-to-configure-firewall-on-user-defined-docker-bridge The short version is that you specify the networks section in a docker-file, like this:
How to enable firewalld logging for denied packets on Linux?
In the /etc/firewalld/firewalld.conf file, we can set LogDenied options. Another option is to use the firewall-cmd command. After enabling it, the Linux system will log all the packets that are rejected or dropped by FirewallD. There are multiple methods to enable FirewallD logging.
Why does Docker use iptables on Linux?
On Linux, Docker manipulates iptables rules to provide network isolation. This is an implementation detail, and you should not modify the rules Docker inserts into your iptables policies. Which wouldn’t be my first resort as adviced against.