Got it. Thanks for the blog posting. Also for the hint on priority. I will get this thing straightened out.

On Thu, Feb 16, 2023, 11:56 Eric Garver <egarver@redhat.com> wrote:
On Thu, Feb 16, 2023 at 11:41:29AM -0500, Ed Greenberg wrote:
> On 2/16/23 8:52 AM, Eric Garver wrote:
> > _deny has always been before _allow.
> >
> Hi Eric,
>
> Given these rules...
>
[..]
>     rule family="ipv4" service name="sip" reject

This rule is rejecting _all_ traffic. You are not specifying any order
(priority) so this reject goes to the _deny chain which always executes
before the _allow chain.

I think this blog post should clarify things for you.

https://firewalld.org/2018/12/rich-rule-priorities

tl;dr use 'rule priority=N ...' in your rich rules.