On 17 Nov 2015 17:30, "Nick Bright" <nick.bright at valnet.net> wrote: > > On 11/17/2015 11:12 AM, Nick Bright wrote: >> >> firewall-cmd --zone=monitoring --add-source=1.2.3.4/32 >> firewall-cmd --zone=monitoring --add-service=snmp >> firewall-cmd --zone=monitoring --add-interface=ens192 >> firewall-cmd --runtime-to-permanent > > I went ahead and tried this and found that the zone and service must first be created, which requires use of: > > firewall-cmd --new-zone=monitoring --permanent (--permanent is required) > firewall-cmd --new-service=snmp > > edit /etc/firewalld/services/snmp.xml: > <?xml version="1.0" encoding="utf-8"?> > <service> > <short>snmp</short> > <description>Simple Network Management Protocol</description> > <port port="161" protocol="udp" /> > </service> > > firewall-cmd --reload > > However, at the end > firewall-cmd --zone=monitoring --add-interface=ens192 > > This results in a zone conflict. I'm not sure if it's even possible to have two zones on the interface. > > A zone applies to a source network or interface. Have a flick through: https://www.hogarthuk.com/?q=node/9 Surprised SNMP isn't already defined as a service in /usr/lib/firewalld/services .... Perhaps snmpd ? Don't have a system to hand to check.