diff --git a/system/containers.nix b/system/containers.nix
index ddd3e38..dfa5bf0 100644
--- a/system/containers.nix
+++ b/system/containers.nix
@@ -33,6 +33,18 @@
 
     networking.firewall.extraCommands = lib.getExe pkgs._docker-block-external-connections;
 
+    # Docker punches holes in your firewall
+    systemd.services.docker-update-firewall = {
+      script = lib.getExe pkgs._docker-block-external-connections;
+    };
+    systemd.timers.docker-update-firewall = {
+      timerConfig = {
+        OnCalendar = "minutely";
+        Unit = "docker-update-firewall.service";
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+
     programs.extra-container.enable = true;
 
     programs.firejail.enable = true;