firewalld rich rules with "reject" result in allowed traffic being dropped

Solution Verified - Updated -

Issue

  • When ever I add the following rich rule to my configuration "rule family="ipv4" source address="0.0.0.0/0" reject" all connections to my server are rejected, even the ones I have already opened/allowed. The rule order doesn't matter and the zone doesn't matter.
  • Example rules:
public (active)
...
rich rules:
rule family="ipv4" source address="0.0.0.0/0" service name="ssh" accept
rule family="ipv4" source address="0.0.0.0/0" reject
  • As soon as I add that final reject rule to any configuration, all connections are rejected/blocked to the server. I even reordered them. So rule order and zone doesn't seem to make a difference.
  • In the above example, shouldn't the firewall see the accept for SSH and then stop processing and never get to the reject after that?

Environment

  • Red Hat Enterprise Linux 7
  • firewalld firewall
  • firewalld rich rule language with a "reject" rule

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In