Rule template for similar scenario

Hello Community
I have now been hitting my head against the wall for quite some time trying to make this work. I sort of manage to get it working half way, but when I involve the remote access things seems to fall apart.

The scenario is as follows.
I have one zabbix server that I want to be able to communicate with its zabbix proxies only bi-directional over port 10051. Proxies should not be able to communicate with each other.
Additionally I would like specific users to be able to access the zabbix proxies over SSH and also access the zabbix server over ssh, http and https uni-directionally.

Help would be much appreciated.

Put each Zabbix host in a separate ZeroTier network. Add the Zabbix server and remote access nodes to each of those networks. Put a default-block firewall rule on the Zabbix server and pinhole port 10051.

If you don’t want to install ZeroTier on each remote access node, then you can concentrate remote access on the Zabbix server and have it IP-forward or SOCKS-proxy users inwards.

Look at the -J destination parameter and the ProxyJump directive in the ssh manpage. If you really want to use rules instead of logical isolation, then look at Dante SOCKS too.