I added the FW_TRUSTED_NETS line that Simon shared and it seems to work on
my SLES 12 SP2 box:

-A input_ext -p tcp -m limit --limit 3/min -m conntrack --ctstate NEW -m
tcp --dport 8000:8010 -j LOG --log-prefix "SFW2-INext-ACC-TRUST "
--log-tcp-options --log-ip-options
-A input_ext -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp
--dport 8000:8010 -j ACCEPT
The 'iptables-save' output above shows that those ports should be open. I
tested this by setting up netcat to listen for traffic on two ports in
that range (8008 and 8010) and then connected to it from netcat on another
server and it seemed to be just fine.

With that in mind, I do not know why, when allowing access from anywhere,
you would not just put these ranges into the Allowed Services section of
Yast, perhaps under Advanced, or define that services file Simon mentioned
and then add that to the list of allowed services on the External (or
whichever) zone, which would allow access to those ports from anything
assigned to that zone (by default everything unassigned is assigned to the
External zone).

Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.