Adding an interface to trusted seems to de-activate the public zone, but not change the default zone.

sh-4.2# firewall-cmd --zone=trusted --add-interface=ens33

The interface is under control of NetworkManager, setting zone to 'trusted'.

success

sh-4.2# firewall-cmd --get-default-zone

public

sh-4.2# firewall-cmd --zone=public --list-all

public

  target: default

  icmp-block-inversion: no

  interfaces: 

  sources: 

  services: smtp submission

  ports: 

  protocols: 

  masquerade: no

  forward-ports: 

  sourceports: 

  icmp-blocks: 

  rich rules: 

sh-4.2# firewall-cmd --get-active-zones

work

  sources: a.b.75.64/27 a.b.111.0/24

internal

  sources: a.b.0.0/16

trusted

  interfaces: ens33

  sources: a.b.75.66 a.b.141.137 a.b.249.25 a.b.249.254

Disclaimer: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

For some reason my trusted host, a.b.249.25, (a.b represents my subnet) cannot

access ssh.  Is there some limit to the number of zones I can have?

  

sh-4.2# firewall-cmd --zone=trusted --list-all

trusted (active)

   target: ACCEPT

   icmp-block-inversion: no

   interfaces:

   sources: a.b.141.137 a.b.249.25 a.b.249.254 a.b.75.66

   services:

   ports:

   protocols:

   masquerade: no

   forward-ports:

   sourceports:

   icmp-blocks:

   rich rules: