Hello,
We use a monitoring service (Icinga) that listens on port 5665. We would like to restrict this access to this port to two servers, and I have achieved this with an ipset and a zone (anmed icinga) as follows:
<ipset type="hash:ip"> <entry>192.168.1.1</entry> <entry>192.168.1.2</entry> </ipset>
<service> <port port="5665" protocol="tcp"/> </service>
<zone> <service name="icinga"/> <source ipset="icinga"/> </zone>
However, we also use a public zone that has ports such as http and https open. I would like the monitoring servers to be able to _also_ access the web pages on the server, but I don't want to do this by adding these rules to the icinga zone - as then I'm going to end up with duplication and may end up with inadvertently leaving firewall holes open by having the rules in two zones.
What would the best way to achieve this please? By doing the monitoring bits as separate services and zones it allows these xml files to be dropped onto many servers without needing to edit the main public zone - and as far as I can see to restrict based on source IP I need to do that in a separate zone?
Is there a way to get firewalld to evaluate rules in multiple zones in a chain like icinga -> public -> DENY?
Thanks,
Will.
firewalld-users@lists.fedorahosted.org