If I've missed someone's response, apologies. As I said, my converted rules seem fine, and I can run the script that issues a bunch of direct rules for the built-in FORWARD rule... but when I try firewall-cmd --reload, it tells me error, that FORWARD is a built-in. Now, today, what I've been looking at is to run iptables-save, and what I see is this (in part): -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited Does this mean that, instead of the format of the entry of the rule being firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD <actual rule) that it should, instead, be firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct <actual rule> ? And if that's what I need to do, that's fine, but I have found *zero* documentation about that. Everything I have found about adding direct rules to a built-in chain don't mention it. Is this so new, it's not documented? mark