Some Docker applications require outgoing access to the internet, which is not possible with typical Synology firewall rules. In my case Vaultwarden (lightweight implementation of Bitwarden) needs access to download icons for the various sites with passwords stored, and Watchtower requires access to check and download from docker hub.

Simple thing to be done is to allow traffic from the network(s) you have configured for your containers – in my case 172.17.0.0/16

And add a rule to the firewall to allow all traffic. Make sure it is before the final entry where you block all other traffic.

And it works again 👍