firewalld applies rules through zones, and the active zone for an interface or source decides which services, ports, rich rules, and forwarding settings handle that traffic. Check the active-zone map before editing rules on a host with more than one interface, source-based zone, or NetworkManager-managed connection.

firewall-cmd --get-active-zones prints the zone bindings that firewalld is applying in the runtime configuration. Interface and source lines show explicit bindings, while the default zone is the fallback for traffic that has no more specific match.

If the output shows a zone name with (default) but no interface or source line, confirm the fallback with firewall-cmd --get-default-zone before choosing the zone for a rule change. On NetworkManager hosts, also check the connection profile because connection.zone can reapply a zone after a reconnect or reboot.

Related: Assign a network interface to a firewalld zone
Related: Change the default firewalld zone
Related: Allow a service in firewalld

Steps to check active firewalld zones:

  1. Confirm that firewalld is running before reading runtime zone state. 
    $ firewall-cmd --state
running

    Related: Enable and start the firewalld service

  2. List the active zones and their runtime bindings. 
    $ firewall-cmd --get-active-zones
dmz
  interfaces: dmz0
public (default)

    The zone name starts each block. Lines below it show the interfaces or source networks bound to that zone. A zone shown only as (default) is the fallback for unclassified traffic, not proof that a specific interface is explicitly assigned to it.

  3. Confirm the default zone used when no interface or source-specific binding matches. 
    $ firewall-cmd --get-default-zone
public

    Do not assume the default zone is the zone handling a specific interface. An explicit interface or source binding takes precedence over the default zone.

    Related: Change the default firewalld zone

  4. Query the zone for the interface that carries the traffic being checked. 
    $ firewall-cmd --get-zone-of-interface=dmz0
dmz

    If the command prints no zone, the interface has no explicit firewalld zone binding. Check the default zone and the NetworkManager connection profile before adding rules.

    Related: Assign a network interface to a firewalld zone

  5. Query the zone for a source network when the active-zone output or local policy uses source bindings. 
    $ firewall-cmd --get-zone-of-source=192.0.2.0/24
internal

    Use the same source format shown by firewalld, such as an address, CIDR range, MAC address, or ipset:<name>. A mismatched source value can return no zone even when another source binding exists.

  6. Inspect the rule inventory for the zone that actually handles the traffic. 
    $ firewall-cmd --zone=dmz --list-all
dmz (active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: dmz0
  sources:
  services: ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

    Older firewalld releases can omit fields such as ingress-priority and egress-priority. The zone name, active marker, interfaces, sources, services, ports, and rich rules are the fields needed for this check.

  7. On NetworkManager-managed hosts, find the connection profile that owns the interface. 
    $ nmcli -f GENERAL.CONNECTION device show dmz0
GENERAL.CONNECTION:                     Wired DMZ
  8. Check the zone stored on that NetworkManager connection profile. 
    $ nmcli -f connection.zone connection show "Wired DMZ"
connection.zone:                        dmz

    If the NetworkManager profile shows a different zone or an empty value, a reconnect can move the interface back to the profile's stored zone or the default zone. Update the connection profile during the same change window as any firewalld zone reassignment.

  9. Use the identified zone name for the next firewalld rule check or change. 
    $ firewall-cmd --zone=dmz --list-services
ssh

    Do not add or remove a service, port, or rich rule in public only because it is the default zone. Use the zone that owns the interface or source path being changed.