--On Tuesday, June 16, 2020 5:20 PM -0700 david <david at daku.org> wrote: > If someone can suggest a firewall-cmd equivalent, it would be nice. Alas, firewalld is targeted at end nodes and doesn't really provide much facility for routers. Its big advantage there is in setting up a reasonable default firewall for the gateway itself. The only real gateway support is to enable masquerade on the external interface. I use firewalld direct rules for controlling the forwarded packets. They look like iptables rules and get injected into firewalld's own subchains. Use "iptables -L -v -n" to dump the whole mess into a file for examination. In /etc/firewalld/direct.xml, you could add an XML passthrough node like this: <passthrough ipv="ipv4">-I FWDI_internal_deny 1 -p tcp --dport 22 -j DROP</passthrough> This assumes your internal zone is named internal. Change the chain name to match your zone name. You don't need to specify the interface name here because the FWDI_internal chain is only invoked if the inbound interface matches an interface in that zone. Also note that the -I option takes a chain name and a number indicating where to insert a rule. I use 1 to put the rule at the start of any rules that firewalld has already inserted. So if you need a LOG rule, you'll want to put the nodes in reverse order in the XML file so they get inserted backwards, last rule first. Ie. insert the DROP rule, then the LOG rule.