firewall-cmd and rich rules
I find that adding logging at the info level is useful when redirecting ssh to a port other than 22 (change the Port option in /etc/ssh/sshd_config to 19356, for example). firewall-cmd rich rules allow adding far more control over firewall entries,
# firewall-cmd --add-rich-rule="$(cat rule_ssh_obfuscate.txt)" --permanent
The contents of rule_ssh_obfuscate.txt,
# cat rule_ssh_obfuscate.txt
rule family="ipv4" port port="19356" protocol="tcp" log prefix="ssh19356: " level="info" limit value="1/m" accept
# firewall-cmd --reload
# firewall-cmd --list-rich-rules rule family="ipv4" port port="19356" protocol="tcp" log prefix="ssh19356: " level="info" limit value="1/m" accept
This way I can tell who is attempting to connect to this port in my kernel logs,
# journalctl -k | grep ssh19356