I'm having an incredibly frustrating time getting firewalld to function properly, and it seems to come down to peculiar behavior regarding rules and zones.
My box is connected to 3 networks: two internal and one public. The two internal networks are bridged and routed properly: with firewalld completely disabled, all traffic back-and-forth across the networks is properly routed. When I enabled firewalld and added the bridge (and both actual interfaces) to the 'trusted' zone, routing suddenly broke. All ssh connections were being forwarded to one specific machine on the network for any address in either internal subnet. I tried various fixes, but nothing worked until: I moved the interfaces from 'trusted' to 'internal'. Now they route properly, and internet traffic is correctly routed via the public network (via NAT/masquerade).
Then the second quirk: I wanted to block ICMP echo requests from the external network. At the time, I had the NIC connected to the public network in the 'external' zone. When I added the icmp-block for echo-request and echo-reply, and tried pinging that IP, the pings returned fine. I added every single supported ICMP block, and even tried blocking them with rich rules, but nothing worked. Until: I moved the interface from 'external' to 'public'.
So, my question is, what gives? The documentation is... very vague about how, exactly, these zones are treated by firewalld's internal mechanics. Inter-NIC routing doesn't work in TRUSTED. ICMP blocks only work in PUBLIC. I've tested this extensively on my box, with consistent results. Am I missing something?
$ firewall-cmd --version
0.3.14.2
Thanks in advance!
Chris