[CentOS] firewalld - same source in different zones

Mon Feb 8 17:19:07 UTC 2021
Łukasz Posadowski <mail at lukaszposadowski.pl>

Hi.

I have a little trouble with firewalld. I'm trying to open some ports
for monitoring server, but it's in the same network as "home" zone:

Monitored host (192.168.111.60):

lukasz @ strategie 17:52:19  ~ $ 
  ->  sudo firewall-cmd --get-active
home
  sources: 192.168.111.0/24
  (open ports 22, 80, 443)
monitoring
  sources: 192.168.111.19
  (open ports: 5666)
public
  interfaces: ens18
  (no open ports)

---------------------------------------------------

Monitoring host (192.168.111.19):

lukasz @ potemkin 17:57:25  ~ $ 
  ->  telnet strategie.ping.local 5666
Trying 192.168.111.60...
telnet: connect to address 192.168.111.60: No route to host

lukasz @ potemkin 17:57:26  ~ $ 
  ->  telnet strategie.ping.local 80
Trying 192.168.111.60...
Connected to strategie.ping.local.
Escape character is '^]'.
^]
telnet> Connection closed.

---------------------------------------------------

I think there are conflicting rules on a monitored host, that:
- prevent access to 5666 from 192.168.111.0/24,
- give access to 5666 from 192.168.111.19
and packets from potemkin are routed trough a home zone.

I really would like to have dedicated "monitor" zone. Is there a way to
give "monitor" zone more priority, than "home"? I may end with OpenVPN
on potemkin and use 172.30.25.0/24 for monitoring, but, apart from
encryption aspect, it seems a little excessive.

Thank You.

-- 
Łukasz Posadowski