On 2020-06-16 11:43, Ed Greshko wrote:

On 2020-06-16 07:24, Kenneth Porter wrote:

--On Tuesday, June 16, 2020 8:17 AM +0800 Ed Greshko <ed.greshko@greshko.com> wrote:

For RHEL/CentOS, I start by listing the back end rules.

What would be the command to list those?

This looks like a good starting point:

<https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes>

The other thing I found odd is that I did

firewall-cmd --set-log-denied=all

And saw no journal entries showing the reject. I used wireshark. and I do see.

129.168.2.116----->192.168.122.152 Transmission Control Protocol, Src Port: 44870, Dst Port: 22, Seq: 0, Len: 0
and immediately after
192.168.2.127----->192.168.2.116 Internet Control Message Protocol (Port unreachable)

I should have tried this earlier. But it seems the issues aren't confined to the libvirt zone.
And the symptoms seem odder.

enp2s0 on the "middle (meimei)" host is 192.168.1.18. From the "right (acer2)" host I can ping
meimei and ssh to meimei with the firewall active.

However, to a different host 192.168.1.142....

[egreshko@acer ~]$ ping -c 1 -q 192.168.1.142
PING 192.168.1.142 (192.168.1.142) 56(84) bytes of data.

--- 192.168.1.142 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms

But....

[egreshko@acer ~]$ ssh 192.168.1.142
ssh: connect to host 192.168.1.142 port 22: No route to host

--
The key to getting good answers is to ask good questions.