how to enable MPI mpirun using firewalld in Centos 7

Question

I'm trying to make MPI run on a small cluster on Centos 7 OS. The firewall is preventing it from running. This is the error I get:

    $ mpirun -np 30 -hostfile hosts.txt mpi_sample_program/mpitest
    ------------------------------------------------------------
    A process or daemon was unable to complete a TCP connection
to another process:
  Local host:    marcher5
  Remote host:   ***.***.***.***.***
This is usually caused by a firewall on the remote host. Please
check that any firewall (e.g., iptables) has been disabled and
try again.
------------------------------------------------------------
--------------------------------------------------------------------------
ORTE was unable to reliably start one or more daemons.
This usually is caused by:

* not finding the required libraries and/or binaries on
  one or more nodes. Please check your PATH and LD_LIBRARY_PATH
  settings, or configure OMPI with --enable-orterun-prefix-by-default

* lack of authority to execute on one or more specified nodes.
  Please verify your allocation and authorities.

* the inability to write startup files into /tmp (--tmpdir/orte_tmpdir_base).
  Please check with your sys admin to determine the correct location to use.

*  compilation of the orted with dynamic libraries when static are required
  (e.g., on Cray). Please check your configure cmd line and consider using
  one of the contrib/platform definitions for your system type.

* an inability to create a connection back to mpirun due to a
  lack of common network interfaces and/or no route found between
  them. Please check network connectivity (including firewalls
  and network routing requirements).
--------------------------------------------------------------------------

When I disable firewall using : sudo systemctl disable firewalld, MPI works just fine. I've been trying for a long week to add a rule that allows MPI to run without turning off the firewalld butit didn't work yet. I was able to do it with sudo iptables -A INPUT -s -j ACCEPT and it worked. But now I have to use firewall-cmd because of Centos 7. What do you suggest I do without compromising the security of the cluster. Should I add a rule to allow all traffic between my nodes?

My current firewall-cmd configuration is:

$ firewall-cmd --list-all
work (default, active)
  interfaces: eno1
  sources:
  services: dhcpv6-client ipp-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

Answer 1

I tried to add source using this:

sudo firewall-cmd --permanent --zone=work --add-source=[host_IP]

But still couldn't make the MPI application run correctly. Then decided that the only way to enable MPI on this cluster is to make a rule to accept all traffic between the nodes. I ran those 2 commands.

sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s  [server+IP] -j ACCEPT

firewall-cmd --reload

and it worked like a charm.Not sure if this is the best solution security wise though.