On Thu, Feb 16, 2023 at 11:41:29AM -0500, Ed Greenberg wrote:
On 2/16/23 8:52 AM, Eric Garver wrote:
> _deny has always been before _allow.
>
Hi Eric,
Given these rules...
[..]
rule family="ipv4" service name="sip" reject
This rule is rejecting _all_ traffic. You are not specifying any order
(priority) so this reject goes to the _deny chain which always executes
before the _allow chain.
I think this blog post should clarify things for you.
https://firewalld.org/2018/12/rich-rule-priorities
tl;dr use 'rule priority=N ...' in your rich rules.