On Mon, Jul 10, 2023 at 7:43 AM Marc Chamberlin via openSUSE Users <users@lists.opensuse.org> wrote:
I don't grok the difference between policies and forwarding/port forwarding rules.
Forwarding says where packets should be sent. Policy says whether it is allowed to do so. When the system receives the packet, it decides whether it should be delivered to the local system or somewhere else. If it is delivered to the local system, zone definition applies. If it is sent somewhere else, it means forwarding and policy definition applies. Firewalld is using a zone as a trust boundary. It is always allowed to forward packets between interfaces in the same zone; it is always prohibited by default to forward packets between interfaces in different zones. You need a policy to explicitly allow such forwarding. You can collect all interfaces in the same zone and use ruch rules or direct rules to control what is allowed. Or you can define several zones and use policies if you need to forward traffic between zones. It is entirely up to you.