Eric Garver

> But the service definition is already part of the repo and sandboxing it needs just an extension in the definition. If it can be shown that the above service...

So add `--query-zone` and `--query-service`. Note that the latter already exists but is used to query if the service is enabled in a zone or policy, e.g. `--zone public --query-service...

I suggest the following: 1. change the default zone to `drop`, this blocks all unassigned traffic (including your LAN) ``` # firewall-cmd --set-default-zone drop ``` 2. use an ipset for...

> Why it's not enough to just specify source for public zone? The default zone is usually `public`. That means all unassigned traffic will go to the `public` zone.

> @erig0 and so if OP adds `--add-source=ipset:allowedCountry` to `public` zone, and `public` zone is also a default one, how would that work? It does not work. That's why above...

This is difficult. It would require firewalld to listen for device/interface creation. Currently firewalld doesn't manage interfaces in any way.

There was a [netfilter patch series](https://lore.kernel.org/netfilter-devel/[email protected]/T/#t) a couple months ago that would have addressed this. I'll ping the authors about status. Edit: The author plans to drop a v3 eventually....

> Could firewall-cmd be upgraded to just copy the elements when updating the XML config files? Possibly. I think it would be useful for all the XML files. In the...

> Hi, There is not much info since last message in this topic. Which means no one has worked on it. > So is it possible to add `comment `...

Thanks for the new alias! The Richards of the world rejoice. Unfortunately I cannot merge it at this time due to missing requirements and testing. Some items that need addressed:...