diff --git a/roles/paas-docker/docker/files/prometheus-docker.xml b/roles/paas-docker/docker/files/prometheus-docker.xml
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/docker/files/prometheus-docker.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    Firewall :: Docker :: Prometheus metrics
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    Project:      Nasqueron
+    License:      Trivial work, not eligible to copyright
+    Source file:  roles/paas-docker/docker/files/prometheus-docker.xml
+    _____________________________________________________________
+
+    <auto-generated>
+        This file is managed by our rOPS SaltStack repository.
+
+        Changes to this file may cause incorrect behavior
+        and will be lost if the state is redeployed.
+    </auto-generated>
+-->
+<service>
+  <short>Prometheus-compatible Docker metrics</short>
+  <description>See https://docs.docker.com/config/daemon/prometheus/</description>
+  <port protocol="tcp" port="9323" />
+</service>
diff --git a/roles/paas-docker/docker/firewall.sls b/roles/paas-docker/docker/firewall.sls
--- a/roles/paas-docker/docker/firewall.sls
+++ b/roles/paas-docker/docker/firewall.sls
@@ -14,6 +14,11 @@
 
 {% if services['firewall'] == 'firewalld' %}
 
+{{ dirs.etc }}/firewalld/services/prometheus-docker.xml:
+  file.managed:
+    - source: salt://roles/paas-docker/docker/files/firewalld-services-prometheus-docker.xml
+    - makedirs: True
+
 {{ dirs.etc }}/firewalld/zones/public.xml:
   file.managed:
     - source: salt://roles/paas-docker/docker/files/firewalld-zones-public.xml.jinja