Rootfull vs Rootless network firewall - by design or am I doing something wrong?

[pswilde]

Hi all, I hope you're all well.
I hope somebody can either confirm this is by design or I'm doing something wrong - I don't mind either way, but my search for clarification is failing.
I am using Podman on Rocky Linux with FirewallD - all working well and I have this set up in a few different places for different services.
However, I noticed yesterday that on a rootful container, ports exposed on the container are also automatically exposed on the host machine as well - whether firewalld has them open explicitly or not.
For example, say I run a web server container and expose an alternate port (i.e. -p 8080:80) and run haproxy on the host machine proxying into that container via port 443. I then open port 443 with firewalld and it all works perfectly. However, from an external machine I can still access the web server on port 8080 even though firewalld doesn't have an explicit rule for port 8080.

Of course, if I do this via a rootless container it doesn't happen as rootless containers handle the network differently.
Yes, I should probably look into using rootless containers anyway, and I have migrated most over to rootless where I have been able to.

Is this right? Logically I would expect only ports open in firewalld to be accessible externally - even if it is a rootfull container.
I expect it's something to do with the "trusted" zone that the containers become part of - accepting all traffic, and if anyone knows of any config I can do to help firewalld out it would be much appreciated.

Of course, if this is expected behavior then I'm happy, I'll continue moving to rootless containers as I should be doing anyway!

Thanks

[pswilde]

OK - stand down.
I finally found the line which sort of answers it :
"Depending on the firewall implementation, we have observed firewall ports being opened automatically due to running a container with a port mapping (for example)."
on https://github.com/containers/podman/blob/main/docs/tutorials/basic_networking.md

Doesn't really answer if it's expected behavior or not - it's more it's been observed happening with no indication of whether it's supposed to be like that or not.
Nevermind, if that's the way it is for now that's fine. Rootless it is! thanks everyone!

[Luap99]

Yes this is expected, at least for firewalld.
Since a rootless networking doesn't have any privileges on the host we cannot modify the firewall and you need to manually allow the ports.

[pswilde]

Thanks @Luap99
I'm perfectly happy with how rootless networking works - it's working exactly as I expect and prefer.
It's just the rootfull networking automatically opening ports on the host machine regardless of firewall config is concerning. I prefer to manage the firewall ports myself, I don't really want podman doing it - but hey, that's just a good reason not to use rootfull containers.

[Luap99]

@mheon WDYT? How does your firewalld work in netavark effect this?

[mheon]

I think that will automatically open the ports on the host firewall, but I have not verified yet - there are still a number of questions about the exact implementation there.

[rhatdan]

I don't believe we should do anything to the host firewall as far as external access, I think this should be controlled by the ADMIN, not necessarily the same person that is launching Podman containers.

[mheon]

This is not an option we have with firewalld. Ports are either in the allowed policy, or they are not.

[pswilde]

In rootfull containers they are automatically in the allowed policy by the looks of it.
I've just done some further testing and it's the same in docker - so it's either something I'm doing or the way firewalld just works with rootfull containers.
I've done a lot of work over the last 24 hours migrating everything to rootLESS - and I'm really happy now, so all good. Thanks everyone.