Description of problem: -> $ firewall-cmd --info-service=kube-control-plane-secure kube-control-plane-secure ports: protocols: source-ports: modules: destination: includes: etcd-client etcd-server kube-apiserver kube-controller-manager-secure kube-scheduler-secure helpers: -> $ firewall-cmd --info-service=kube-apiserver kube-apiserver ports: 6443/tcp protocols: ... -> $ _FIRE=kube-control-plane-secure; firewall-cmd --zone=internal --add-rich-rule=\"rule family="ipv4" source address=${_IP} service name=${_FIRE} accept\" -> $ nmap 10.3.1.61 -p 6443 # result -> filtered -> $ _FIRE=kube-apiserver; firewall-cmd --zone=internal --add-rich-rule=\"rule family="ipv4" source address=${_IP} service name=${_FIRE} accept\" -> $ nmap 10.3.1.61 -p 6443 # result -> open Does that make sense? Also, if such service - eg. kube-control-plane-secure - is allowed "normally", in 'service' then what happens is what I'd expect - included services get allowed too. Version-Release number of selected component (if applicable): firewalld-filesystem-1.2.1-1.el9.noarch firewalld-1.2.1-1.el9.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: