http://bugzilla.suse.com/show_bug.cgi?id=1140566 Bug ID: 1140566 Summary: firewalld: rich masquerading rules don't work Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: All OS: openSUSE Factory Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: martin.wilck@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I wanted to create a rich rule to enable masquerading only for packets with a certain source address: # firewall-cmd --zone nat --list-all work (active) target: default icmp-block-inversion: no interfaces: tun0 sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.30.0/24" masquerade This is what iptables-save shows: -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o tun0 -g POST_work -A POST_work -j POST_work_allow -A POST_work_allow ! -o lo -j MASQUERADE As you can see, the last rule does not filter by source address, which was the whole purpose of the rich rule instead of "--add-masquerade". This is fixed by upstream commit bd784bf "fw_zone: fix rich rule masquerading", which is included in firewalld 0.6.4. With that fix, the rule is correctly generated: -A POST_work_allow -s 192.168.30.0/24 ! -o lo -j MASQUERADE Please push that version (already in security:netfilter) to factory. -- You are receiving this mail because: You are on the CC list for the bug.