Creating Customized Zones
You can create zones and then configure the zone's settings for a customized firewall protection.
Using the firewall-cmd Command
 As shown in the following example, you can use the firewall-cmd CLI
      to create an empty zone, which means that no default services are assigned. When configuring a
      customized zone, you must always include the --permanent option in the
      command. Otherwise, an error message is generated. 
                  
sudo firewall-cmd --permanent --new-zone=testzone sudo firewall-cmd --permanent --get-zones
block dmz drop external home internal nm-shared public testzone trusted work
sudo firewall-cmd --permanent --info-zone=testzone
testzone target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
          Without the --permanent option, the
          --get-zones option does not display the
          created zone.
        
                  
          The
          --info-zone=zone-name
                        
          option generates the same output as the
          --list-all option.
        
                  
To make this zone creation persistent, add the following command:
sudo firewall-cmd --runtime-to-permanent
After creating the zone, you can add services, ports, assign interfaces, and so on, by using the command options that are provided in the previous examples:
sudo firewall-cmd --zone=testzone --add-service=http
Error: INVALID ZONE: testzone
sudo firewall-cmd --permanent --zone=testzone --add-service=http
 Ensure that you use the --permanent option when using these commands. 
                  
Using a Zone Configuration File
          All zones have corresponding configuration files. For the
          predefined zones that are installed with the operating system,
          the configuration files are in the
          /usr/lib/firewalld/zones directory.
        
                  
          When you configure a predefined zone, the configuration file
          is copied to the /etc/firewalld/zones
          directory and the changes are stored in that location. If you
          use a configuration file to create new zones, you must also
          use /etc/firewalld/zones as the working
          directory.
        
                  
If you're creating a zone with only minor differences from the settings of predefined zones, copying an existing configuration file to the working directory is the easiest approach. You can use either of the following commands:
sudo cp /etc/firewalld/zones/existing-conf-file.xml new-zone.xml
sudo cp /usr/lib/firewalld/zones/existing-conf-file.xml /etc/firewalld/zones/new-zone.xml
 Then, using a text editor, revise the settings in the new configuration file. The following
      example shows what the configuration file of testzone might contain.
        testzone accepts traffic for one service (SSH) and one port range for the
      TCP and UDP protocols: 
                  
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>testzone</short>
  <description>Put description here</description>
    <service name="ssh"/>
    <port port="1025-65535" protocol="tcp"/>
    <port port="1025-65535" protocol="udp"/>
</zone>