diff --git a/roles/virt-common/tasks/firewall.yml b/roles/virt-common/tasks/firewall.yml
index 4e649c1..03dc312 100644
--- a/roles/virt-common/tasks/firewall.yml
+++ b/roles/virt-common/tasks/firewall.yml
@@ -18,8 +18,9 @@
         permanent: true
         state: enabled
 
-    - name: Deny incoming connections to SSH port in default zone
+    - name: Deny incoming connections to SSH port in zone 'public'
       ansible.posix.firewalld:
+        zone: public
         service: ssh
         permanent: true
         state: disabled
@@ -46,23 +47,32 @@
   when: hostname in groups['proxyservers']
   notify: Reload firewalld
   block:
-    - name: Allow incoming connections to HTTP port in zone 'dmz'
+    - name: Allow incoming connections to HTTP port in zones 'public' and 'dmz'
       ansible.posix.firewalld:
-        zone: dmz
+        zone: "{{ item }}"
         service: http
         permanent: true
         state: enabled
+      loop:
+        - public
+        - dmz
 
-    - name: Allow incoming connections to HTTPS port in zone 'dmz'
+    - name: Allow incoming connections to HTTPS port in zones 'public' and 'dmz'
       ansible.posix.firewalld:
-        zone: dmz
+        zone: "{{ item }}"
         service: https
         permanent: true
         state: enabled
+      loop:
+        - public
+        - dmz
 
-    - name: Allow incoming connections to HTTP/3 port in zone 'dmz'
+    - name: Allow incoming connections to HTTP/3 port in zones 'public' and 'dmz'
       ansible.posix.firewalld:
-        zone: dmz
+        zone: "{{ item }}"
         service: http3
         permanent: true
         state: enabled
+      loop:
+        - public
+        - dmz