(In reply to Martin Wilck from comment #10) Hi @Martin- Thank you for the tip. To add some more info/clarification, the sysctl settings net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 worked on the system that I upgraded first (from 15.0 to 15.1) but when I recently upgraded a second system it did not work as I believe, like you noted, that they were being "applied" before the br_netfilter module was loaded. OTOH, if I comment out the line softdep bridge post: br_netfilter as in Comment 2 then /proc/sys/net/bridge/bridge-nf-call-ip(6)tables does not even exist to set and traffic goes through and bypasses the firewall as desired. As far as FirewallD, I spent a bit of time when switching from SuSEFirewall2 to FirewallD because it seems that SuSEFirewall2 (automatically?) included the equivalent of firewall-cmd --permanent --direct --passthrough ipv6 -t filter -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT firewall-cmd --permanent --direct --passthrough ipv4 -t filter -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT and FirewallD did not, at least that's what I recall from the susefirewall2-to-firewalld script output and doing some troubleshooting. I'm also using wicked and not NetworkManager. Nothing seemed to "automatically" configure the bridge/firewall or add the virtual interfaces in such a way that they can be easily manipulated in firewall-config. In response to Comment 25, I agree that it's not desirable to accidentally expose something outside of the firewall that you don't want. In my case, I want the traffic to be sent directly to the VM to be processed by the VM's firewall and not the host's firewall (either by forwarding through the host firewall or bypassing the host firewall). I could also see where it might be desirable to have some VMs on a host to be "outside" and some "inside," depending on what the VM is for. If it's helpful, I've attached the output of "firewall-cmd --list-all-zones" and "iptables-save." from a host running 15.1 with suse-module-tools-15.1.13-lp151.1.1 and forwarding rules above added to the firewall. Also, "virsh net-list" does not show any networks. Otherwise it's essentially a stock setup that's been set up using YaST and virt-manager.