firewalld rich rules with "reject" result in allowed traffic being dropped

Solution Verified - Updated -


  • When ever I add the following rich rule to my configuration "rule family="ipv4" source address="" reject" all connections to my server are rejected, even the ones I have already opened/allowed. The rule order doesn't matter and the zone doesn't matter.
  • Example rules:
public (active)
rich rules:
rule family="ipv4" source address="" service name="ssh" accept
rule family="ipv4" source address="" reject
  • As soon as I add that final reject rule to any configuration, all connections are rejected/blocked to the server. I even reordered them. So rule order and zone doesn't seem to make a difference.
  • In the above example, shouldn't the firewall see the accept for SSH and then stop processing and never get to the reject after that?


  • Red Hat Enterprise Linux 7
  • firewalld firewall
  • firewalld rich rule language with a "reject" rule

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In