root@ams ~ # firewall-cmd –get-default-zone
public
root@ams ~ # firewall-cmd –list-all
You’re performing an operation over default zone (‘public’),
but your connections/interfaces are in zone ‘docker’ (see –get-active-zones)
You most likely need to use –zone=docker option.

public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 37466/tcp 80/tcp 443/tcp 45767/tcp
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
root@ams ~ # sudo firewall-cmd –permanent –new-zone=vmbr0zone
success
root@ams ~ # sudo firewall-cmd –permanent –zone=vmbr0zone –add-interface=vmbr0
success
root@ams ~ # sudo firewall-cmd –list-all –zone=vmbr0zone
Error: INVALID_ZONE: vmbr0zone
root@ams ~ # sudo firewall-cmd –permanent –zone=vmbr0zone –add-masquerade
success
root@ams ~ # sudo firewall-cmd –reload
success
root@ams ~ # sudo firewall-cmd –list-all –zone=vmbr0zone
vmbr0zone (active)
target: default
icmp-block-inversion: no
interfaces: vmbr0
sources:
services:
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
root@ams ~ # sudo firewall-cmd –permanent –zone=vmbr0zone –set-target=ACCEPT
success
root@ams ~ # sudo firewall-cmd –reload
success
root@ams ~ # sudo firewall-cmd –list-all –zone=vmbr0zone
vmbr0zone (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: vmbr0
sources:
services:
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
root@ams ~ # sudo firewall-cmd –permanent –zone=vmbr0zone –add-rich-rule=’rule family=”ipv4″ source address=”10.10.10.0/24″ accept’
sudo firewall-cmd –permanent –zone=vmbr0zone –add-rich-rule=’rule family=”ipv6″ source address=”fd80::/64″ accept’
success
success
root@ams ~ # sudo firewall-cmd –reload
success