Hi all, I just installed Fedora 20 on my desktop and I'm playing with firewalld for the first time. I read the docs and with the new rich-rules I think I'm a happy camper so far. I have some questions & observations: # firewall-config (GUI app) I opened a bugzilla because every time you start the app it starts maximized: https://bugzilla.redhat.com/show_bug.cgi?id=1046811 # Target for a Zone When using firewall-config and you switch to permanent configuration, in order to edit one of the zone properties, there's a Target drop-down list there. When I changed ACCEPT to DROP for the public zone (my default) I noticed only the FORWARD chain was changed. I did an "iptables -L -n -v" in order to confirm this. The actual chain affected is FWDI_public (where the last REJECT rule is replaced by a DROP). Shouldn't the IN_public (for public zone) have a DROP statement as well? Since it doesn't have it, a REJECT from the default INPUT chain is what gets applied. Is this a bug? Also, when I do this I loose all my connections (can't browse the web, anything..). I have dissected the resulting iptable rules and I only see the change in the FWDI_public chain. Nothing else. I can't find the culprit. I have to change the target back to ALLOW for things to get normal again. In a nutshell, I would like all packets to be dropped for all services that are not allowed. How can I do this via firewall-cmd/firewall-config? I know there's a drop zone but still would like to learn how to change the default target for a given zone. # Immutable What does it mean for a zone to be immutable? Is it that, once loaded, you can't change it? (add/remove rules)? When I change my default zone to the drop zone, I still can add/remove services from it. # Best Practices If I'm going to add/remove services for a given zone, is it better to just clone one zone and have one of my own? Should I leave all the stock zones as they are? Thanks in advance. Best regards, Jorge