Cockpit's recent RHEL 10.0 image refresh found a regression in firewalld: With 2.3.0, locally exposed podman ports are now inaccessible. The image build log has the full package version diff at the bottom, but the most likely one is firewalld 2.2.1 → 2.3.0. In particular, podman itself did not update (podman-5.3.1-3.el10.x86_64 on both the old and new image).

Please provide the package NVR for which the bug is seen:

podman-5.3.1-3.el10.x86_64
firewalld-2.3.0-1.el10.noarch

How reproducible is this bug?:

Always

Steps to reproduce

podman run -d --rm -p 5000:5000 --name registry quay.io/libpod/registry:2.8
curl http://localhost:5000/foo

Expected results

curl should fail with "404 page not found". (Of course that curl is bogus, and you'd really use that registry with some podman push or similar. But that's not relevant here).

Actual results

> curl: (7) Failed to connect to localhost port 5000 after 0 ms: Could not connect to server

That happens because port 5000 is now blocked by default by firewalld. That wasn't the case before, thus breaks a long-standing existing behaviour. It doesn't sound sensible at first – a firewall should mediate trust relations between machines, not services inside a single machine.

However, if that was deliberate, it is still hard to work around: I tried all three of

firewall-cmd --zone=trusted --add-port=5000/tcp
firewall-cmd --zone=public --add-port=5000/tcp
firewall-cmd --add-port=5000/tcp

But none helps (the latter says "already enabled"). The only thing that does help is systemctl stop firewalld.