diff --git a/roles/common/tasks/firewall.yml b/roles/common/tasks/firewall.yml
index 7241aeb..e6fffb1 100644
--- a/roles/common/tasks/firewall.yml
+++ b/roles/common/tasks/firewall.yml
@@ -1,7 +1,15 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-- name: Move DMZ network to zone 'dmz'
+- name: Move main LAN network to zone 'drop'
+  ansible.posix.firewalld:
+    zone: drop
+    source: 192.168.1.0/24
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Move lab network to zone 'dmz'
   ansible.posix.firewalld:
     zone: dmz
     source: 192.168.17.0/24
@@ -9,27 +17,34 @@
     immediate: true
     state: enabled
 
-- name: Move interface 'eth1' to zone 'internal'
+- name: Move internal network to zone 'internal'
   ansible.posix.firewalld:
     zone: internal
-    interface: eth1
+    source: 10.2.0.0/16
     permanent: true
     immediate: true
     state: enabled
+  when: hostname in groups['virtualservers']
 
-# Until sapt-labx-ctl01 is deployed
-- name: Allow incoming connections from main LAN to SSH port
+- name: Default deny incoming connections to SSH port in zone 'dmz'
   ansible.posix.firewalld:
     zone: dmz
-    source: 192.168.1.0/24
     service: ssh
     permanent: true
     immediate: true
-    state: enabled
-  when: true
+    state: disabled
+
+- name: Default deny incoming connections to SSH port in zone 'internal'
+  ansible.posix.firewalld:
+    zone: internal
+    service: ssh
+    permanent: true
+    immediate: true
+    state: disabled
+  when: hostname in groups['virtualservers']
 
 # When sapt-labx-ctl01 is deployed
-- name: Allow incoming connections from jump host to SSH port
+- name: Allow incoming connections from jump host to SSH port in zone 'dmz'
   ansible.posix.firewalld:
     zone: dmz
     source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}"
@@ -37,31 +52,39 @@
     permanent: true
     immediate: true
     state: enabled
-  when: false
+  when: false  # hostname not in groups['control_infra']
+
+# Until sapt-labx-ctl01 is deployed
+- name: Allow incoming connections to SSH port in zone 'drop'
+  ansible.posix.firewalld:
+    zone: drop
+    service: ssh
+    permanent: true
+    immediate: true
+    state: enabled
+  when: true
 
 - name: Firewall rules for group 'control_infra'
   when: hostname in groups['control_infra']
   block:
-    - name: Allow incoming connections from main LAN to SSH port
+    - name: Allow incoming connections to SSH port in zone 'dmz'
       ansible.posix.firewalld:
         zone: dmz
-        source: 192.168.1.0/24
         service: ssh
         permanent: true
         immediate: true
         state: enabled
 
-    - name: Allow incoming connections from LAN to DNS port
+    - name: Allow incoming connections to DNS port in zones 'drop' and 'dmz'
       ansible.posix.firewalld:
-        zone: dmz
-        source: 192.168.0.0/16
-        port: 53/{{ item }}
+        zone: "{{ item }}"
+        service: dns
         permanent: true
         immediate: true
         state: enabled
       loop:
-        - tcp
-        - udp
+        - drop
+        - dmz
 
 - name: Firewall rules for production and staging
   loop:
@@ -74,7 +97,7 @@
       ansible.posix.firewalld:
         zone: internal
         source: "{{ hostvars[item].internal_ipv4 }}"
-        port: 5432/tcp
+        service: postgresql
         permanent: true
         immediate: true
         state: enabled