Greetings, I have a 2 vms on a host that can communicate with other hosts on the system. the two vms are connected by a virtsw0 bridge (vm1 and vm2) and on of the vms (vm1) has another connection (vnet0) to the host. it seems that the host can only communicate with the vm that has a direct connection to it and not the other vm (virtsw0 allows connection beteen both vms) here are the rules libvirt creates: -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N LIBVIRT_FWI -N LIBVIRT_FWO -N LIBVIRT_FWX -N LIBVIRT_INP -N LIBVIRT_OUT -A INPUT -j LIBVIRT_INP -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A OUTPUT -j LIBVIRT_OUT -A LIBVIRT_FWI -o virsw0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -i virsw0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWX -i virsw0 -o virsw0 -j ACCEPT -A LIBVIRT_INP -i virsw0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virsw0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virsw0 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virsw0 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_OUT -o virsw0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virsw0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virsw0 -p udp -m udp --dport 68 -j ACCEPT -A LIBVIRT_OUT -o virsw0 -p tcp -m tcp --dport 68 -j ACCEPT and here are the stats: Chain INPUT (policy ACCEPT 17405 packets, 1677K bytes) pkts bytes target prot opt in out source destination 17434 1688K LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 21058 packets, 3788K bytes) pkts bytes target prot opt in out source destination 21058 3788K LIBVIRT_OUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LIBVIRT_FWI (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * virsw0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain LIBVIRT_FWO (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- virsw0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain LIBVIRT_FWX (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- virsw0 virsw0 0.0.0.0/0 0.0.0.0/0 Chain LIBVIRT_INP (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- virsw0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- virsw0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 29 10608 ACCEPT udp -- virsw0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- virsw0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 Chain LIBVIRT_OUT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * virsw0 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- * virsw0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- * virsw0 0.0.0.0/0 0.0.0.0/0 udp dpt:68 0 0 ACCEPT tcp -- * virsw0 0.0.0.0/0 0.0.0.0/0 tcp dpt:68 is it possible I cannot access vm2 from the host because of the rules above? Thanks, Dagg