HI, me and firewalld won't have a good start, but I hope we'll be good friends. One of my hosts must rerote traffic from one to another host. It isn't a big problem. I've a host witch must do: 1) forwarding port 25 tcp to a second host Here I've a special mail-relay. My external.xml look like this one: <?xml version="1.0" encoding="utf-8"?> <zone> <short>External</short> <description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <interface name="eth1"/> <service name="ssh"/> <masquerade/> <forward-port to-addr="10.0.0.87" protocol="tcp" port="25"/> </zone> Every thing works expected, incomming traffic on port 25 is forwarded to 10.0.0.87 port 25. 2) traffic from 80.80.80.80 and destination-port 25 should be forwarded to port 22 tcp on 10.0.0.17 and not to 10.0.0.87 on port 25 So I made a new rule with: firewall-cmd --zone=external --add-rich-rule='rule forward-port port="25" to-port="22" to-addr="10.0.0.17" protocol="tcp" family="ipv4" source address="80.80.80.80"' If I try to connect on host 80.80.80.80 my system with: "telnet 10.0.0.17 25" I can connect the final host 10.0.0.17 on port 22 and open-ssh will greet me "SSH-2.0-oPENssh_6.6.1". It is working like I've expected. If I made my new firewall-rule permanent I use: "firewall-cmd --runtime-to-permanent" an the zone-file has now this content: <?xml version="1.0" encoding="utf-8"?> <zone> <short>External</short> <description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <interface name="eth1"/> <service name="ssh"/> <masquerade/> <forward-port to-addr="10.0.0.87" protocol="tcp" port="25"/> <rule family="ipv4"> <source address="80.80.80.80"/> <forward-port to-addr="10.0.0.17" to-port="22" protocol="tcp" port="25"/> </rule> </zone> O.K. That isn't a miracle. BUT, every is working right till I restart the server or reload the firewalld with: "firewall-cmd --reload" Now I can't access my host 10.0.0.17 via ssh over my transit-host! I'll reach destination-host 10.0.0.87 on port 25. It looks like, my rich rule were'nt definied. :/ Any idea, how to make it reboot-save? Thanx for help ttyl, Django -- "Bonnie & Clyde der Postmaster-Szene!" approved by Postfix-God http://wetterstation-pliening.info http://dokuwiki.nausch.org http://wiki.piratenpartei.de/Benutzer:Django _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos