I just noticed that when rebooting a CentOS 7 server the firewall comes back up with both interfaces set to REJECT, instead of the eth1 interface set to ACCEPT as defined in 'permanent' firewalld configuration files. All servers are up to date. By "just noticed" I mean that I finally investigated why a newly rebooted VM failed to allow NFS connections. Prior to doing that. I'd been stopping the firewall to get access, then restarting the firewall after setting the eth1 interface to ACCEPT. This time I took a look at iptables and found that eth1 was set to REJECT, before I stopped the firewall. Because it was obvious that firewalld had been started by systemd by noticing the output of iptabled -nvL had the same set of rules you can see when firewalld is restarted, except that after restart interface eth1 is set to ACCEPT. I assume there must be a different set of configuration files that are accessed upon reboot than those accessed upon firewalld restart. Note that all CentoOS 7 machines (VM and hardware) in our data center have this same issue. Anyone know where and what those files are? Emmett