> > The zone apparently means something because an interface can only be on one. > Moving it to a different zone results in the same error (same services/ports > opened in each zone). The "zones" are just labels and are used to create kernel iptables. Each zone has a default set of open and closed ports ranging from "trusted" which accepts all packets to "public" which has everything closed. You can modify the allowed ports and services on each zone at will. Some of the zones have "special" features - "block" rejects all packets, "drop" drops all packets, "external" has masquerading turned on and so on. If you have a single network, then that interface will, by default, be put in the "public" zone, so most ports will be closed. That's fine, just leave it in that zone, it's just a label/container. You can list the services open in the default zone by doing firewall-cmd --list-services or for ports not services firewall-cmd --list-ports or for a different zone firewall-cmd --zone=public --list-services You can also find out which zones your interface(s) is in with firewall-cmd --get-active-zones One of the gotchas with firewalld is that the changes are made in either the current running iptables *or* the stored rules, not both. So if you make a change to the running rule set, those changes won't be kept the next time you restart firewalld. You can either use the ' --permanent' flag to set the stored rules (but it won't affect the active rules) or the '--runtime-to-permanent' flag to copy the current active rules to the stored ones. The bottom line is that firewalld is just another application that manipulates the kernel packet routing tables. Use something else if you prefer it - some of the system tools assume firewalld, but if you are aware of what's happening it shouldn't be an issue. > > I may as well disable firewalld and let my router handle the firewall. > If you are happy that there is nothing behind your firewall that could cause a problem then that's an acceptable route. P.