it looks like it does work - it just takes a REAL long time to load with "many" entries in the file. iptables was never slow. firewalld seems inefficient. I was able to add the line - restart the firewall, (wait) - see my packets dropped - remove the line - restart the firewall (wait) and able to ping again. I thought this "Direct.xml" file would be the fastest way for firewalld - but there is multi-minute wait to restart. I have about 14000 entries. Jerry