Not familiar with this at all. Quick dirty cheat sheet for my own reference.
Works as zones, easy enough e.g:
firewall-cmd --get-active-zones
public
interfaces: eth0
So can add zones for different nics or profiles or whatever.
Change interface
firewall-cmd --zone=home --change-interface=eth0
List allowed ports/services
firewall-cmd --list-all
Adding services
firewall-cmd --zone=public --add-service=http
or
firewall-cmd --zone=public --permanent --add-service=http
List services
firewall-cmd --get-services
Or add custom ports:
firewall-cmd --zone=public --add-port=1234/tcp
or
firewall-cmd --zone=public --add-port=1234-5678/tcp
Reload
firewall-cmd --reload
Restart & enable
systemctl restart firewalld
systemctl enable firewalld
Lock down ssh
Had to do this on a non disposable system so locked it down a bit using http://serverfault.com/questions/680780/block-all-but-a-few-ips-with-firewalld
firewall-cmd --zone=internal --add-service=ssh --permanent
firewall-cmd --zone=internal --add-source=xxx.xxx.xxx.xxx/32 --permanent
firewall-cmd --zone=internal --add-source=xxx.xxx.xxx.xxx/32 --permanent
firewall-cmd --zone=public --remove-service=ssh --permanent
firewall-cmd --reload