I'm sorry for reply too later. The last email was rejected :(, so I need rewrite a
mail.
I had made a policy as follows:
# firewall-cmd --permanent --new-policy worldToDocker
# firewall-cmd --permanent --policy worldToDocker --add-ingress-zone ANY
# firewall-cmd --permanent --policy worldToDocker --add-egress-zone docker
# firewall-cmd --permanent --policy worldToDocker --add-rich-rule='rule family=ipv4
source not address=127.0.0.1 reject'
# firewall-cmd --permanent --policy worldToDocker --add-rich-rule='rule family=ipv6
source not address=[::1] reject'
# firewall-cmd --reload
In this policy, I guess all packets not coming from 127.0.0.1 will be rejected. But it
seems not work for me.
It seems not possible to manage docker's packets by firewalld after searching
PREROUTING a lot.
I try to set zone "docker" to "reject", which can work a little,
it's means all web ports opend by docker can be access but can't work normally.
Although docker has integration with firewalld
(
https://docs.docker.com/network/iptables/#integration-with-firewalld). But docker can
play with iptables just.
I had give podman a try, but seems. :(
Anyway, I'd appreciate for your help. :)