I think you have an X/Y problem.

Rootless podman requires no special firewall management. Like docket, you mearly expose you want in the container, and if you want those ports accessible outside the machine, the firewall has to allow access - just like any other program.

How is your podman configured? To use pasta, or slirp4netns? I often have trouble with pasta - I merely haven’t spent the time to figure out the details of using it - so I always just switch (back) to slirp4netns, which was the original network tool. Do this in /etc/containers/containers.conf, or dig into pasta and see if there’s something in there. The pasta package is actually called “passt.”

Did you set up subuid and subgid correctly?

Did you confirm you can access your services locally?

If you are using slirp4netns and have your account configured in subuid and subgid, then rootless podman should function as any other networking program, and you shouldn’t have any firewall issues.

As an aside, and just my humble opinion, I really hate firewalld. It makes firewall configurations complex and byzantine, and almost impossible to work with with other tools like nft. I’m sure it is great for some people, but anytime you add more complexity to a configuration, you add more opportunity for something to be incorrectly configured. I hate fighting with it, and have had times where I struggled to get it to open a port: I was in the wrong “zone”, or was in persistent mode rather than runtime mode, or whatever. It’s just unnecessary added complexity, and lately if the distro installs it I just uninstall it first thing and use nft.

If you followed the rootless podman wiki and everything else looks good, I’d look suspiciously at firewalld.