--On Tuesday, December 19, 2017 11:44 AM -0500 Eric Garver egarver@redhat.com wrote:
It is also checking on the FORWARD chain for both input and output. But for the output it checks the destination and does a goto to the FDO_* chain. It seems unlikely that you would have a drop statement in that chain, but it's worth a look.
Thanks. I'm working my way through the chains to try to understand the nesting and the path the packets take. I've done this before with hand-crafted chains but firewalld generates a LOT of empty chains that make the output a bit "noisy" and hard to follow.