I updated from Fedora 34 to 36 on my gateway machine. Computers on the LAN could no longer access the POP3 server. Somehow some service settings got lost. What else got lost in the transition? NAT/forwarding no longer works. This didn't matter because there is a second gateway with a much faster internet connection. Except it mattered today because Rogers Communications internet and phone service went out, across their service area in Canada. When I tried to use the gateway with F36, it would not work. Just as a simple example, from the LAN ping external-site generated a "Packet filtered" response returned by the gateway. On the other hand this worked fine: ping gw-LAN-address and so did ping gw-public-address This looks like a problem with forwarding. googling got me this: <https://www.it-hure.de/2021/12/firewalld-fedora-34-35-masquerade-between-... It proposed this: firewall-cmd --permanent --new-policy policy_int_to_ext firewall-cmd --permanent --policy policy_int_to_ext --add-ingress-zone public firewall-cmd --permanent --policy policy_int_to_ext --add-egress-zone external firewall-cmd --permanent --policy policy_int_to_ext --set-priority 100 firewall-cmd --permanent --policy policy_int_to_ext --set-target ACCEPT firewall-cmd --permanent --zone=external --add-masquerade systemctl restart firewalld firewall-cmd --info-policy policy_int_to_ext I tried this (replacing "public" with the right zone for my setup). This isn't quite working. tcpdumping the gateways external port, I can see the ICMP Echo Request makes it out and an ICMP Echo Reply comes back, but it never make it into the LAN. Ditto for ssh. Can anyone see what I've missed? Where can I see "policy" stuff in the firewall GUI? I haven't found it. Another oddity. After I did the proposed firewall changes listed above, I dumped the netfilter rules "nft -l" and compared them with the previous dump. There seemed to be a certain amount of refactoring: there were separate functions for virbr0. Why? I no longer have confidence in the migrated firewall config. Is there a way to start over, as if this were a fresh installation of Fedora 36. I think the "policy" feature is just what I need for other problems, so it is great to see this addition. It seems too sparsely documented for me to completely understand it. Boy is "policly" an overused term in networking. _______________________________________________ users mailing list -- users(a)lists.fedoraproject.org To unsubscribe send an email to users-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure