From man firewalld.zone:
target="ACCEPT|%%REJECT%%|DROP"
Can be used to accept, reject or drop every packet. The ACCEPT target is used in the
trusted zone, every packet will be accepted. The %%REJECT%% target is used in the
block zone, every packet will be rejected with the default firewalld reject type. The
DROP target is used in the drop zone, every packet will be dropped. The default target
is {chain}_ZONE_{zone} and will be used if the target is not specified. If other than
the default target is used, all settings except interface and source are ignored,
because the first rule created in firewall for this zone is 'jump to target'.
Which is really not very specific as to how default works.
However, this is clarified by a proposed change/addition to the man page:
--permanent [--zone=zone] --set-target=target
Set the target of a permanent zone. target is one of: default,
ACCEPT, DROP, REJECT
default is similar to REJECT, but has special meaning in the
following scenarios:
1. ICMP explicitly allowed
At the end of the zone's ruleset ICMP packets are explicitly
allowed.
2. forwarded packets follow the target of the egress zone
In the case of forwarded packets, if the ingress zone uses
default then whether or not the packet will be allowed is
determined by the egress zone.
For a forwarded packet that ingresses zoneA and egresses zoneB:
· if zoneA's target is ACCEPT, DROP, or REJECT then the
packet is accepted, dropped, or rejected respectively.
· if zoneA's target is default, then the packet is accepted,
dropped, or rejected based on zoneB's target. If zoneB's
target is also default, then the packet will be rejected by
firewalld's catchall reject.
3. Zone drifting from source-based zone to interface-based zone
This only applies if AllowZoneDrifting is enabled. See
firewalld.conf(5).
If a packet ingresses a source-based zone with a target of
default, it may still enter an interface-based zone (including
the default zone).
