I'm trying to understand the logic behind the Linux firewalld zones, and the way they are evaluated.
To my understanding, a zone is defined as a list of interfaces and IP ranges, which allow/deny rules can be applied on. Is this correct? For a zone that includes an interface and an additional IP range. Do services that are allowed for this zone will be allowed for the IP range even if the traffic will reach the machine from IP within that range, but through a different interface?
In what order zones are evaluated? What will happen to incoming traffic that is matched by two (possibly contradicting) zones? For example, zone "Z1" that allows nfs to the machine from a given interface, and zone "Z2" that denies all incoming traffic from an IP. What will happen to a NFS traffic that reaches the machine through the interface defined in "Z1" but from the IP defined in "Z2"?