Firewalld Limit Remote Source Connections
(2019-02-14)
Problem
I have an internet-facing service that I want to restrict to a particular (set of) source address(es). The service can't do source-filtering on its own.
Solution
Define a new zone that includes the (set of) address(es) as valid sources, and add specific access rules there.
eg permit only 139.60.168.32 to access snmp:
# firewall-cmd --new-zone=snmp_monitors --permanent
# firewall-cmd --reload
# firewall-cmd --zone=snmp_monitors --add-source=139.60.168.32
# firewall-cmd --zone=snmp_monitors --add-service=snmp
# firewall-cmd --zone=snmp_monitors --add-service=snmp --permanent
# firewall-cmd --zone=snmp_monitors --add-source=139.60.168.32 --permanent
This presumes that the snmp service is not included in whatever the default internet zone is.