Firewalld Fedora 34 -> 35 Masquerade between Zones not working anymore

I updated my firewall from 34 to 35 and my firewall was not working anymore. There is a not good documented change with the release of firewalld 1.0 that hit me.

The fix is simple if you found it.

firewall-cmd --permanent --new-policy policy_int_to_ext
firewall-cmd --permanent --policy policy_int_to_ext --add-ingress-zone public
firewall-cmd --permanent --policy policy_int_to_ext --add-egress-zone external
firewall-cmd --permanent --policy policy_int_to_ext --set-priority 100
firewall-cmd --permanent --policy policy_int_to_ext --set-target ACCEPT
firewall-cmd --permanent --zone=external --add-masquerade
systemctl restart firewalld
firewall-cmd --info-policy policy_int_to_ext


This entry was posted in Uncategorized and tagged . Bookmark the permalink.

2 Responses to Firewalld Fedora 34 -> 35 Masquerade between Zones not working anymore

  1. John says:

    I had the same problem, and fixed it like this. Do you have any comments about the differences?

    # firewall-cmd –permanent –set-target=ACCEPT –zone=internal

    # firewall-cmd –reload

  2. Bill says:

    Thanks for the tip! This is buried in the notes for “The upcoming v1.0.0” on, but I think it really ought to be listed in the “Common F35 bugs” wiki page on

    The answer to John’s question is on that same page. If the zone target is “default” then it now acts like “REJECT” (except for ICMP packets), whereas previously “default” also permitted packet forwarding. Now to enable forwarding you have to explicitly allow it in a policy. Changing the zone target to “ACCEPT” will also work, but it will do so by essentially removing the firewall altogether from that zone.

Leave a Reply

Your email address will not be published. Required fields are marked *