diff --git a/stages/org.osbuild.firewall b/stages/org.osbuild.firewall
index 510e33c8..f2f53056 100755
--- a/stages/org.osbuild.firewall
+++ b/stages/org.osbuild.firewall
@@ -59,6 +59,10 @@ SCHEMA = """
       "type": "string",
       "description": "Service name (from /{lib,etc}/firewalld/services/*.xml)"
     }
+  },
+  "default_zone": {
+    "description": "Set default zone for connections and interfaces where no zone has been selected.",
+    "type": "string"
   }
 }
 """
@@ -72,7 +76,14 @@ def main(tree, options):
     enabled_services = options.get("enabled_services", [])
     disabled_services = options.get("disabled_services", [])
 
+    default_zone = options.get("default_zone", "")
+
     # firewall-offline-cmd does not implement --root option so we must chroot it
+    if default_zone:
+        subprocess.run(["chroot", tree, "firewall-offline-cmd", f"--set-default-zone={default_zone}"], check=True)
+
+    # The options below are "lokkit" compatibility options and can not be used
+    # with other options.
     subprocess.run(["chroot",
                     tree,
                     "firewall-offline-cmd"] +
diff --git a/test/data/stages/firewall/b.json b/test/data/stages/firewall/b.json
index fc96c615..a95161ab 100644
--- a/test/data/stages/firewall/b.json
+++ b/test/data/stages/firewall/b.json
@@ -488,7 +488,8 @@
           ],
           "disabled_services": [
             "telnet"
-          ]
+          ],
+          "default_zone": "trusted"
         }
       }
     ]
diff --git a/test/data/stages/firewall/b.mpp.json b/test/data/stages/firewall/b.mpp.json
index abbc2997..5d2b83fb 100644
--- a/test/data/stages/firewall/b.mpp.json
+++ b/test/data/stages/firewall/b.mpp.json
@@ -42,7 +42,8 @@
           ],
           "disabled_services": [
             "telnet"
-          ]
+          ],
+          "default_zone": "trusted"
         }
       }
     ]
diff --git a/test/data/stages/firewall/diff.json b/test/data/stages/firewall/diff.json
index c59c4e08..60549d22 100644
--- a/test/data/stages/firewall/diff.json
+++ b/test/data/stages/firewall/diff.json
@@ -1,8 +1,11 @@
 {
   "added_files": [
-    "/etc/firewalld/zones/public.xml",
-    "/etc/firewalld/zones/public.xml.old"
+    "/etc/firewalld/firewalld.conf.old",
+    "/etc/firewalld/zones/trusted.xml",
+    "/etc/firewalld/zones/trusted.xml.old"
   ],
   "deleted_files": [],
-  "differences": {}
+  "differences": {
+    "/etc/firewalld/firewalld.conf": {"mode": [41471, 33152]}
+  }
 }