firewalld: open port for single ip (or how to limit access to checkmk-agent to a single ip)

Newer versions of checkmk-agent for linux started to use systemd instead of xinetd to spawn the agent. So you loose the ability to limit access through a simple config file.

My Solution was with a rule in firewalld. You have to use a rich rule. Sadly thats not as easy as the usual firewalld stuff…

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="11.22.33.44/32" port protocol="tcp" port=6556 accept'

Afterwards simply restart firewalld or reload rules.