[CentOS] firewalld - same source in different zones

Mon Feb 8 17:19:07 UTC 2021
Łukasz Posadowski <mail at lukaszposadowski.pl>


I have a little trouble with firewalld. I'm trying to open some ports
for monitoring server, but it's in the same network as "home" zone:

Monitored host (

lukasz @ strategie 17:52:19  ~ $ 
  ->  sudo firewall-cmd --get-active
  (open ports 22, 80, 443)
  (open ports: 5666)
  interfaces: ens18
  (no open ports)


Monitoring host (

lukasz @ potemkin 17:57:25  ~ $ 
  ->  telnet strategie.ping.local 5666
telnet: connect to address No route to host

lukasz @ potemkin 17:57:26  ~ $ 
  ->  telnet strategie.ping.local 80
Connected to strategie.ping.local.
Escape character is '^]'.
telnet> Connection closed.


I think there are conflicting rules on a monitored host, that:
- prevent access to 5666 from,
- give access to 5666 from
and packets from potemkin are routed trough a home zone.

I really would like to have dedicated "monitor" zone. Is there a way to
give "monitor" zone more priority, than "home"? I may end with OpenVPN
on potemkin and use for monitoring, but, apart from
encryption aspect, it seems a little excessive.

Thank You.

Łukasz Posadowski