I tried to configure the firewall for OpenStack Controller and Compute node and here are the rules I added to the firewall: myZone (active) target: default icmp-block-inversion: no interfaces: enp2s0 enp7s4 sources: services: ssh dhcpv6-client ports: 80/tcp 6080/tcp 11211/tcp 9696/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.0.32" accept rule family="ipv4" source address="192.168.0.31" accept The address of the Controller and the Compute nodes are 192.168.0.31 and 192.168.0.32, respectively. Using these rules I can use Horizon on the browser and the Compute node services can connect to the Controller nodes ports. The problem is when the firewall is enabled on the Controller node, instances that are running on the Controller node (I configure the Controller node as the Compute node, too) just can be pinged and all other VMs and nodes (including the Controller node) cannot connect to it (using SSH or any other connection to a specific port). - There is no firewall running on instances. - I configured an external network to connect VMs to each other - CentOS7 is running on all nodes Here are ports listening on the Controller node: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:8775 0.0.0.0:* LISTEN 4478/python2 tcp 0 0 0.0.0.0:9191 0.0.0.0:* LISTEN 4461/python2 tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 10189/httpd tcp 0 0 0.0.0.0:8776 0.0.0.0:* LISTEN 4487/python2 tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 4466/beam.smp tcp 0 0 0.0.0.0:8778 0.0.0.0:* LISTEN 10189/httpd tcp 0 0 192.168.0.31:3306 0.0.0.0:* LISTEN 4860/mysqld tcp 0 0 192.168.0.31:2379 0.0.0.0:* LISTEN 4464/etcd tcp 0 0 192.168.0.31:11211 0.0.0.0:* LISTEN 4457/memcached tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 4457/memcached tcp 0 0 192.168.0.31:5900 0.0.0.0:* LISTEN 16844/qemu-kvm tcp 0 0 0.0.0.0:9292 0.0.0.0:* LISTEN 4500/python2 tcp 0 0 192.168.0.31:2380 0.0.0.0:* LISTEN 4464/etcd tcp 0 0 192.168.0.31:5901 0.0.0.0:* LISTEN 16982/qemu-kvm tcp 0 0 192.168.0.31:5902 0.0.0.0:* LISTEN 17339/qemu-kvm tcp 0 0 192.168.0.31:5903 0.0.0.0:* LISTEN 17621/qemu-kvm tcp 0 0 192.168.0.31:5904 0.0.0.0:* LISTEN 17840/qemu-kvm tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 10189/httpd tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 1/systemd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4468/sshd tcp 0 0 192.168.0.31:3260 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:6080 0.0.0.0:* LISTEN 4458/python2 tcp 0 0 0.0.0.0:9696 0.0.0.0:* LISTEN 4473/python2 tcp 0 0 0.0.0.0:8774 0.0.0.0:* LISTEN 4478/python2 tcp6 0 0 :::5672 :::* LISTEN 4466/beam.smp tcp6 0 0 :::22 :::* LISTEN 4468/sshd So, is there any port or something to add to firewall rules for making instances reachable when the firewall is running on the Controller node?