As many active zones you need are possible; see: firewall-cmd
--get-active-zones But only one zone per interface.
And there is the problem. I have one NIC so one interface. I have a
router in front of the system on which I am running firewalld. The
router forwards some ports to the system. I am using firewalld to
protect the system from IPs trying to break in to it.
I have an active zone on the interface which defines services that are
permitted and their ports. I have been using direct rule to use ipsets
to blacklist IPs. When I updated to version of ipset and firewalld that
are in Fedora 26, the direct rule quit working. That may be a bug or
bugs or a change in use. Either way, firewalld is no longer blocking the
IPs in the ipsets I have defined.
John