We have a, historically grown, rather complicated network layout, forcing me to build complex and hard-to-manage firewalld zones. One thing that would really help me is if there was a way to exclude one subnet from a zone, but I have not found a way to do that.
I'm using firewalld on RedHat Enterprise Linux 7/8/9, so any solution has to work with firewalld 0.6.3 and higher.
Example:
Assume that there are two network zones. One has workstations, the other has servers somewhere in the middle of the workstations. Yes, it's not a logical subnetting layout, but I don't have the luxury of a greenfield implementation.
172.16.0.0/16: zone workstations, except for 172.16.12.0/24.
172.16.11.0/24: zone servers
The only way I know how to do this is very complicated and error prone:
172.16.0.0/21: zone workstation
172.16.8.0/23: zone workstation
172.16.10.0/24: zone workstation
172.16.12.0/22: zone workstation
172.16.16.0/20: zone workstation
172.16.32.0/19: zone workstation
172.16.64.0/18: zone workstation
172.16.128.0/15: zone workstation
172.16.11.0/24: zone servers
(I hope I got that right!) Our real network is actually more complex, with about 10 different zones, some of them nested inside each other. So I am looking for a better way to manage my firewalld zones.
