Firewalld - multiple services / sources?

If you have a system with one network interface, and you want to allow ssh from some addresses, freeipa-ldap from others, and https (which is part of freeipa-ldap) from another one; and you do not want to have a sea of rich rules... how do you do that?

I can't tell if firewalld is just really poorly documented or very limited. I am sorely tempted to disable it and just use good ol' iptables, but I don't like the kneejerk "Just disable it!" attitude, partly because one day there'll be something that you have to do "the new way", and you'll be far behind the curve.

Did you look into easy to use utilities like iptables?

Firewalld implements a zone concept. To allow access to services based on the source address, just create a new zone, add source addresses and services to the zone and you are done.

Here is an example.

First we create a new zone named test

firewall-cmd --permanent --new-zone=test

This new zone shall be effective for source in the 10.100.250.0/24 address range

firewall-cmd --permanent --zone=test --add-source=10.100.250.0/24

Now we add ports 22 (represented by the predefined service ssh ) and 8080 to the zone

firewall-cmd --permanent --zone=test --add-service=ssh
firewall-cmd --permanent --zone=test --add-port=8080/tcp

These commands created and populated the file /etc/firewalld/zones/test.xml

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <source address="10.100.250.0/24"/>
  <service name="ssh"/>
  <port protocol="tcp" port="8080"/>
</zone>

When you are done, activate your changes with

firewall-cmd --reload

A good documentation of firewalld can be found here: Firewalld - FedoraProject