Santiago and I did manual test to start the firewalld containter in a ALP. Below are the steps followed,

1. Disable the Host's firewalld
   #systemctl stop firewalld.service

2. Identify the firewalld workload image:
   #podman search firewalld
   registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/firewalld

3. Start the firewalld container:
   #podman run -d --network host --privileged --name my-firewalld registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/firewalld
   This will pull (download) the image from registry.opensuse.org if the image is not already in the local cache. The --network host means the container will run in the default network namespace and thus make firewall changes affecting the entire host.

4. To make changes to firewalld running inside the container podman exec must be used
   #podman exec my-firewalld firewall-cmd
   State: running
   No options specified
   usage: 'firewall-cmd --help' for usage information or see firewall-cmd(1) man page

5. Add the port 9090 to enable the cockpit web server on ALP
   #podman exec my-firewalld firewall-cmd --add-port=9090/tcp
   You're performing an operation over default zone ('public'),
   but your connections/interfaces are in zone 'docker' (see --get-active-zones)
   You most likely need to use --zone=docker option.

   success

Note:
Shell alias for convenience
The above is a long command. It can be made more convenient with a shell alias.

#alias my-firewall-cmd='podman exec my-firewalld firewall-cmd'