On 03/21/2016 10:18 PM, Devin Reade wrote: > However, in this case the host won't have addresses on (based on my above > correction) either br2 or br3. It does sound, though, like having > enp1so, enp1s0.2, and enpe1s0.3 in the 'DMZ' zone means that filtering > rules on the host will affect inbound traffic to the VMs on br2 and > br3. No, because: /usr/lib/sysctl.d/00-system.conf:# Disable netfilter on bridges. /usr/lib/sysctl.d/00-system.conf:net.bridge.bridge-nf-call-ip6tables = 0 /usr/lib/sysctl.d/00-system.conf:net.bridge.bridge-nf-call-iptables = 0 /usr/lib/sysctl.d/00-system.conf:net.bridge.bridge-nf-call-arptables = 0 (Unless you change the defaults)