After doing the non-permanent firewalld tests [1] I see the rules being double inserted. Please see log: [root@localhost ~]# firewall-cmd --zone=work --add-service=samba-client [root@localhost ~]# iptables-save | grep work :IN_ZONE_work - [0:0] :IN_ZONE_work_allow - [0:0] :IN_ZONE_work_deny - [0:0] -A IN_ZONE_work -j IN_ZONE_work_deny -A IN_ZONE_work -j IN_ZONE_work_allow -A IN_ZONE_work_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_ZONE_work_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_ZONE_work_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_ZONE_work_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_ZONE_work_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT [root@localhost ~]# service firewalld restart Redirecting to /bin/systemctl restart firewalld.service [root@localhost ~]# iptables-save | grep work :IN_ZONE_work - [0:0] :IN_ZONE_work_allow - [0:0] :IN_ZONE_work_deny - [0:0] -A IN_ZONE_work -j IN_ZONE_work_deny -A IN_ZONE_work -j IN_ZONE_work_allow -A IN_ZONE_work_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_ZONE_work_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_ZONE_work_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_ZONE_work_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_ZONE_work_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_ZONE_work_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
Created attachment 662389 [details] debug log from firewalld start
I can also reproduce it with: https://fedoraproject.org/wiki/QA:Testcase_persistent_firewalld_zones
*** Bug 886503 has been marked as a duplicate of this bug. ***
Created attachment 663004 [details] this change seems to fix the problem
Pushed http://git.fedorahosted.org/cgit/firewalld.git/commit/?id=2152843143fe68bd29cddc1005f227544a9d5082
firewalld-0.2.12-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/firewalld-0.2.12-1.fc18
Package firewalld-0.2.12-1.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing firewalld-0.2.12-1.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-0810/firewalld-0.2.12-1.fc18 then log in and leave karma (feedback).
firewalld-0.2.12-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.