I get that it uses Zones to define traffic, but there's one question that's bothering me.

How exactly does shorewall determine which zone incoming traffic belongs to?

I assumed it has to do with the /etc/shorewall/interfaces configuration. I've been guessing that shorewall assumes that any incoming traffic over an interface defined here is part of the zone it's linked to in /etc/shorewall/interfaces. Is that actually true, or am I off base here?