There are good reasons to expose a port of a docker container only to the localhost of the host machine. Security reasons or the use of a reverse proxy are only 2 of them (please don't ask for more). And it is fairly easy.

It is a simple modification to the argument of the -p flag while when running podman run:

podman run -d -p 8080:80/tcp docker.io/library/httpd

From the manual:

-p, --publish strings Publish a container's port, or a range of ports, to the host (default [])

This is a quick example which sets up a web server. The first part before the colon - in this case 8080 - is the exposed port on the host machine, on which the container would be reachable. The second part after the colon - 80/tcp - is the used port within the container.

To limit the exposed port to the localhost of the host machine, just add the host loopback address in front of the host part like: 127.0.0.1:. The new command would then be:

podman run -d -p 127.0.0.1:8080:80/tcp docker.io/library/httpd

That's it.

More reading: