Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Release Note Type:
Enhancement
Release Note Text:

Hide
.`StrictForwardPorts` is now available in `firewalld`

When the `StrictForwardPorts` option in the `/etc/firewalld/firewalld.conf` configuration file is set to `yes`, port forwarding from Podman is no longer possible, and attempting to start a container or pod with the `-p` or `-P` options returns errors. All ports must be forwarded by using `firewalld`. This ensures that containers cannot allow traffic through the firewall without administrator intervention. See the `netavark-firewalld` man page for more details.

Show
.`StrictForwardPorts` is now available in `firewalld` When the `StrictForwardPorts` option in the `/etc/firewalld/firewalld.conf` configuration file is set to `yes`, port forwarding from Podman is no longer possible, and attempting to start a container or pod with the `-p` or `-P` options returns errors. All ports must be forwarded by using `firewalld`. This ensures that containers cannot allow traffic through the firewall without administrator intervention. See the `netavark-firewalld` man page for more details.
Release Note Status:
Done
ProdDocsReview-CCS:
Done
ProdDocsReview-Dev:
Done

Podman loads NAT rules that bypass firewall restrictions. The DNAT occurs before firewalld's rule set and as a result port 9100 is open to the world.

Adding configuration option which would require explicit addition of the port to firewalld by the admin before forwarding.

is depended on by

RHEL-33558 [RHEL EPIC] GA Firewalld Support - RHEL 9.7

links to

RHSA-2025:147064 podman bug fix and enhancement update