firewalld rich rules with "reject" result in allowed traffic being dropped

Solution Verified - Updated -


  • When ever I add the following rich rule to my configuration "rule family="ipv4" source address="" reject" all connections to my server are rejected, even the ones I have already opened/allowed. The rule order doesn't matter and the zone doesn't matter.
  • Example rules:
public (active)
rich rules:
rule family="ipv4" source address="" service name="ssh" accept
rule family="ipv4" source address="" reject
  • As soon as I add that final reject rule to any configuration, all connections are rejected/blocked to the server. I even reordered them. So rule order and zone doesn't seem to make a difference.
  • In the above example, shouldn't the firewall see the accept for SSH and then stop processing and never get to the reject after that?


  • Red Hat Enterprise Linux 7
  • firewalld firewall
  • firewalld rich rule language with a "reject" rule

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content