Podman/Docker cant reach internet

Had problem on CentOS 7/8 with both podman and docker. no container could reach internet. needed to enable the following.

cat <<EOF > /etc/sysctl.d/podman.conf
# Enable containers to access the outer world
net.ipv4.ip_forward=1
EOF

I also needed to enable masquerading on the external zone.

firewall-cmd --zone=public --add-masquerade
firewall-cmd --permanent --zone=public --add-masquerade

One question left, who is allowed to masquerade? i see no filtering done meaning any other network connected to this machine can masquerade as the public zone. Does not sound good.