If enabled, the generated destination NAT (DNAT) rules will NOT accept traffic that was DNAT’d by other entities, e.g. docker. Firewalld will be strict and not allow published container ports until they’re explicitly allowed via firewalld. If set to false, then docker (and podman) integrates seamlessly with firewalld. Published container ports are implicitly allowed.

false