Comment # 2 on bug 1190122 from Guilherme Moro

firewalld is shipping the configuration for docker zone in
/usr/lib/firewalld/zones by default.

The usual firewalld configuration would use NetworkManager to manage which
interfaces are attached to each zone, as we don't use it, our zone
configuration has <interface name="docker0"/> in it's configuration file, so
firewalld automatically considers this zone as an "active" zone.

This is misleading and we should probably move the configuration file to docker
packages, or at least remove the default interface configuration from the zone
definition.