I have a server in a datacenter that serves as an IPA master and VPN server. For simplicity, assume I need to enable the "ipsec" service for VPN, and the "kerberos" service for IPA.
I would like to: 1) Allow traffic from anywhere to access the ipsec ports. 2) Only allow traffic from the private IP space to access the kerberos ports.
This seems easy enough; add a source IP space to the "work" zone, open up "kerberos" in the "work" zone, open up "ipsec" in the "public" zone. However, my interface "eth0" is only attached to the "public" zone. It seems like an interface is only meant to apply to a single zone.
So I have two questions. First, is what I would like to do reasonable? Second, what is the correct usage pattern to accomplish my goals with firewalld? As an example, I know I could accomplish my goals with rich rules, but this sounds like something that should be done using zones.