You edit a firewalld zone, run the one command you always run — sudo firewall-cmd --reload — and it returns success. Then, hours later, a backup didn't run. Your containers are still Up in docker ps. The host has internet. The containers have none.
Here's the seam: firewalld and Docker both write the same netfilter tables, and neither knows about the other. firewall-cmd --reload flushes the whole ruleset and re-applies only firewalld's config — wiping the DOCKER / DOCKER-USER chains and the NAT masquerade that dockerd installed at startup. Docker doesn't get told its rules vanished, so it never re-adds them. Result: running containers lose outbound internet while still reporting healthy. The 10-second manual fix is sudo systemctl restart docker (dockerd re-installs its chains on start). The permanent fix is a small systemd unit that restarts Docker automatically whenever firewalld reloads — so it self-heals before you notice.
The full guide has the exact docker-firewalld-watch.service unit file, the enable --now commands, and a copy-paste test that breaks egress on purpose and proves it heals. It also covers how I make this failure visible across a whole fleet — because "alive but isolated" is invisible by design — using homelab-monitor: one Docker container, polls every host over SSH (no agents), shows fleet-wide container/service health, and pushes edge-triggered alerts to Discord, ntfy.sh and Telegram the moment a container flips red.
Read the full guide on Medium → https://medium.com/@arsen.apostolov/528889d3eca1
Top comments (0)