Jake:  The way you stated your requirements leads me to assume you are comfortable with iptables and probably have a working script that handles the setup of iptables directly.  Firewalld does use iptables (and ip6tables) but assumes you can work within some preset scenarios as defined in firewalld.  Your requirements suggest a "public" zone basic setup or "trust nobody at all". with dns and vpn services enabled.  Firewalld also allows a definition of "sources", interfaces and/or ip addresses that are allowed before the basic netfilter packet path is traversed.   I had been running a somewhat convoluted iptables setup at bootup in fedora 13 and upgraded through Centos 6 as the years passed,  but Centos 7 changed the basic game.  I found firewalld was workable provided I adjusted my netfilter plan to fit its predetermined setup.  

I run a short script as root to output the iptables setup from firewalld just to see how it runs and you may find that script helpful for you.  Note you must create/define an output directory as I did in line 1:

        DIR=/tmp/IPTABLES  # must be a pre-existing directory
date > $DIR/firewalld/As-of
date > $DIR/iptables-list
/sbin/iptables -L -v --line-numbers -n >> $DIR/iptables-list
echo -e "\n## table nat\n" >>$DIR/iptables-list
/sbin/iptables -t nat -L -v --line-numbers -n >> $DIR/iptables-list
echo -e "\n## table mangle\n" >>$DIR/iptables-list
/sbin/iptables -t mangle -L -v --line-numbers -n >> $DIR/iptables-list
echo -e "\nEND of iptables list\n" >>$DIR/iptables-list
        date > $DIR/ip6tables-list
/sbin/ip6tables -L -v --line-numbers -n >> $DIR/ip6tables-list
echo -e "\n## table nat\n" >>$DIR/ip6tables-list
/sbin/ip6tables -t nat -L -v --line-numbers -n >> $DIR/ip6tables-list
echo -e "\n## table mangle\n" >>$DIR/ip6tables-list
/sbin/ip6tables -t mangle -L -v --line-numbers -n >> $DIR/ip6tables-list
        echo -e "\nEND of ip6tables list\n" >> $DIR/ip6tables-list
date > $DIR/ebtables-list
        [ -x /sbin/ebtables ] && /sbin/ebtables -Ln  >> $DIR/ebtables-list
        echo -e "\nEND of ebtables list\n" >>$DIR/ebtables-list 

# The following adds the configs that iptables would use if I used installed iptables and used it in lieu of firewalld  

/sbin/iptables-save > $DIR/saved_iptables_config
/sbin/ip6tables-save > $DIR/saved_ip6tables_config

# If you have set up the traditional iptables configs the following could be added to the script

[ -f /etc/sysconfig/iptables ] && ( /bin/cp -u /etc/sysconfig/iptables $DIR/iptables-DEFAULT )
[ -f /etc/sysconfig/ip6tables  ] && (/bin/cp -u /etc/sysconfig/ip6tables $DIR/ip6tables-DEFAULT )

# The following adds my defined "work" zone to the output

date > $DIR/firewalld-zones
firewall-cmd --list-all-zones >>$DIR/firewalld-zones
echo -e "\nEND of firewalld-zones\n" >>$DIR/firewalld-zones
echo -e "\nDetailed xml of work zone\n(source: /etc/firewalld/zones/work.xml)\n">>$DIR/firewalld-zones 
cat /etc/firewalld/zones/work.xml >>$DIR/firewalld-zones 
date >$DIR/Connections
/usr/bin/netstat -tlpn >> $DIR/Connections

Of course YMMV,  sorry I wrote so much.


Amicalement,
Dave
--
Maple Park Development
Linux Systems Integration
http://www.maplepark.com/

If IP addresses weighed one gram each:
 IPv4 = half the Empire State Building vs.  IPv6 = 56 billion earths

I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.

On Wed, Sep 14, 2016 at 2:16 AM, Jake Trader <longid@fedoraproject.org> wrote:
I'd like to achieve Four things in Firewalld:

1. Add a rule that blocks all outgoing and incoming traffic on your Local Ethernet Device.
2. Add an exception for your favorite DNS Server (to resolve the hostname of your VPN provider)
3. Add an exception for your VPN provider’s IP addresses
4. Add an Rule for your tun/tap or any other VPN Device to allow all outgoing Traffic for the VPN Tunnel.

Can someone tell me how?
_______________________________________________
firewalld-users mailing list
firewalld-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/firewalld-users@lists.fedorahosted.org