Firewalld default zone becomes inactive and disappears

Hi there,

As my needs for a home automation “server” are growing from what a Raspberry Pi with Docker can deliver, I have successfully (and painlessly) installed Rocky Linux 9.3 a few days ago on a SFF PC and installed Docker on it, followed by the containers I needed.

Fortunately, the containers do not have overlapping ports, and they are meant to have full access to the rest of the local network, so I bound them all to the “host” virtual network in docker. To make them accessible over the network through the active firewalld, I defined the “home” zone as being the default one, with the ethernet interface connected to this zone, and with the necessary explicit firewall rules added in the zone.

All is well so far, containers work as expected, and there was much rejoicing.

The odd thing was that, after some time of running, firewalld no longer reported the home zone as being active with firewall-cmd --get-active-zones, and the Ethernet interface was no longer assigned to any zone with firewall-cmd --get-zone-of-interface=interfacename. Only the docker0 interface showed up under the Docker zone, although there was no container connected to it or doing any traffic there. There is no functional impact from this, it only annoys me that I cannot add new firewall rules in the Cockpit if the corresponding zone doesn’t show up as active. If I reload the firewall configuration from the shell, it appears again but disappears after some time (minutes even).

As I don’t need the docker “bridge” virtual private network for inter-container traffic, I set the bridge to “none” in the docker json configuration file, restarted docker service and voila, it no longer has a “bridge” network. NetworkManager no longer sees the interface with nmcli device (only the Ethernet interface and lo are listed), and the Cockpit currently shows just the Ethernet interface with its IP assignments, and I manually deleted the Docker zone in the Cockpit. But firewalld still shows with firewall-cmd --list-all-zones a Docker zone, and at the same time the “home” zone randomly disappears from being active, and the Cockpit reports “0 zones active”.

Am I doing something wrong or missing something? From all the probing tried so far, it would seem that the root cause is somewhere with firewalld. But why, and more importantly how can I fix it?

Any hints would be very much appreciated. Many thanks in advance!

[quick edit] Just found some leftover configuration file in /etc/firewalld/zones/docker.xml and deleted it. After a firewalld reload, the docker zone is no longer mentioned. Let’s see if home still disappears, though…

Well, how about that. After the Docker zone is completely gone from configuration files and stuff, the Cockpit continues to show 1 active zone, as expected. I’ll keep monitoring it, in case I catch it disappear again. But now I suspect that docker is doing some dodgy stuff in the system with default settings…

You could always use podman instead of docker - podman comes in the Rocky repos by default.

Thanks for the reply and suggestion, @iwalker

I’m such a noob, this was the first time I’ve heard of podman. At first it seems like there is a learning curve and some possible surprises along the way, for example the need to use privileged ports (like pihole for DNS and HTTP/HTTPS administration). There’s also a risk that whoever has deployed the images in Docker Hub did not expect them to run under podman, has not tested this scenario and is unable to provide any support other than “well switch back to docker, it works there”. But after a bit of toe wiggling in the water it doesn’t seem that bad.

The only possibly significant headache could come from podman having the same issues with firewalld and zones, with containers running on the host network, which is a bit of an unusual need as it goes against security recommendations, but it makes complete sense to me to avoid unnecessary virtual NATing for a home server.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.