I installed a CentOS 8 guest on a CentOS 8 host using libvirt. However firewalld is blocking all outgoing traffic from the guest to the internet unless I use target=ACCEPT for the libvirt zone.

The datacenter provides two separate IPv4 addresses for the server and I want to use one of these IP addresses for the guest VM.

# virsh net-dumpxml public
<network connections='1'>
  <forward mode='route'/>
  <bridge name='br-public' zone='libvirt-public' stp='on' delay='0'/>
  <mac address='…'/>
  <ip address='(HOST IP)' netmask='' />
  <ip family='ipv6' address='…' prefix='128' />

# firewall-cmd --list-all --zone=libvirt-public
libvirt-public (active)
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: br-public
  services: dhcp dhcpv6 dns ssh
  protocols: icmp ipv6-icmp
  masquerade: no
  rich rules: 

I assumed that ICMP, SSH, and DNS should work fine as these are listed in the firewalld zone.

However somehow firewalld on the host blocks all outgoing traffic:

(guest) # ping
PING ( 56(84) bytes of data.
From (HOST IP) icmp_seq=1 Packet filtered

When I log all denied packages on the host I can see that firewalld is rejecting these network conenctions:

"filter_FWDI_libvirt-public_REJECT: "IN=br-public OUT=enp3s0 MAC=… SRC=(GUEST IP) DST= LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40405 DF PROTO=ICMP TYPE=8 CODE=0 ID=1594 SEQ=3 

Everything starts to work as expected when I set the zone target to ACCEPT (though I'd prefer to use REJECT):

# firewall-cmd --zone=libvirt-public --permanent --set-target=ACCEPT
# firewall-cmd --reload

So obviously I don't understand firewalld's zone configuration. Do services/protocols only refer to incoming connections? How to allow certain outgoing connections (but not all)?

