A zone allows you to define different sets of rules for different situations. What that means is that you can have one zone for something like wifi, and another zone for ethernet and then have different rules for each.
Zones are only active if 1) the zone is assigned to a network interface and 2) the zone is assign IPs or network ranges
Something that I have been doing, which is not great is just addint ports without specifying what zone I want that added to. What I really want to do is add it to the public interface. I’ve updated the guide about so that I do that. The option to use is --zone=public.
Another interesting thing to do is to have two active zones, one public and one trusted. Then, set the trusted zone to an ip range with the --add-source=192.168.0.0/24, and bind it to the network interface. You can then add a service like ssh to the trusted zone, and therefore restrict the access to the larger internet.