Firewalld And Container Published Ports
The integration between docker and firewalld has changed over the years, but based on your OS versions and CLI output I think you can get the behavior you expect by setting AllowZoneDrifting=no
it /etc/firewalld/firewalld.conf
1 on the RHEL-8 host.
Due to zone drifting, it possible for packets received in a zone with --set-target=default
(e.g. public
zone) to drift to a zone with --set-target=accept
(e.g. trusted
zone). This means FORWARDed packets received in zone public
will be forwarded to zone trusted
. If your docker containers are using a real bridge interface, then this issue may apply to your setup. Docker defaults to SNAT so usually this problem is hidden.
Newer firewalld 2 releases have completely removed this behavior, because as you have found it's both unexpected and a security issue.