On Thu, Jun 25, 2020 at 08:02:33AM +0800, Ed Greshko wrote:

On 2020-06-24 22:34, Eric Garver wrote:

On Thu, Jun 18, 2020 at 05:47:21AM +0800, Ed Greshko wrote:

On 2020-06-18 04:32, Eric Garver wrote:

[..]

Even that wouldn't explain why, with the middle system 3 interfaces being 192.168.122.1/192.168.1.18/192.168.2.127  I can't ssh to 192.168.1.142 from 2.116 with the FW up.

The 192.168.1.0/24 network wasn't shown in your diagram. If it's part of the "public" zone, then that makes sense. firewalld will block the forwarded traffic. The next firewalld feature release has a new feature to allow intra zone forwarding [1].

Yes, I didn't put that network in the diagram since it seemed to me irrelevant to the initial problem/question.

I can see how the new feature would affect an ssh from .2.116 to .1.142 since both enp2s0 and wlp4s0
are both in the public zone.

[egreshko@meimei ~]$ sudo firewall-cmd --get-active-zones
libvirt
  interfaces: virbr0
public
  interfaces: enp2s0 wlp4s0

But, the original problem I'm trying to resolve is ssh (or any traffic) from .2.116 to  .122.152 which would
be between the public and libvirt zones.

Right. And we already diagnosed that. libvirt's rules are dropping the 
packets, not firewalld.

Seems like you have two issues here:

 1) libvirt's iptables rules are blocking public --> VM traffic
    - this must be addressed via libvirt

But, I get no log messages when I set --set-log-denied=all.  Shouldn't those be logged?

No. Because firewalld is not the one dropping the packets here. libvirt 
is the one dropping. firewalld can't influence libvirt's rules.