Jake: The way you stated your requirements leads me to assume you are comfortable with iptables and probably have a working script that handles the setup of iptables directly. Firewalld does use iptables (and ip6tables) but assumes you can work within some preset scenarios as defined in firewalld. Your requirements suggest a "public" zone basic setup or "trust nobody at all". with dns and vpn services enabled. Firewalld also allows a definition of "sources", interfaces and/or ip addresses that are allowed before the basic netfilter packet path is traversed. I had been running a somewhat convoluted iptables setup at bootup in fedora 13 and upgraded through Centos 6 as the years passed, but Centos 7 changed the basic game. I found firewalld was workable provided I adjusted my netfilter plan to fit its predetermined setup.
I run a short script as root to output the iptables setup from firewalld just to see how it runs and you may find that script helpful for you. Note you must create/define an output directory as I did in line 1:
date > $DIR/firewalld/As-of
date > $DIR/iptables-list
/sbin/iptables -L -v --line-numbers -n >> $DIR/iptables-list
echo -e "\n## table nat\n" >>$DIR/iptables-list
/sbin/iptables -t nat -L -v --line-numbers -n >> $DIR/iptables-list
echo -e "\n## table mangle\n" >>$DIR/iptables-list
/sbin/iptables -t mangle -L -v --line-numbers -n >> $DIR/iptables-list
echo -e "\nEND of iptables list\n" >>$DIR/iptables-list
date > $DIR/ip6tables-list
/sbin/ip6tables -L -v --line-numbers -n >> $DIR/ip6tables-list
echo -e "\n## table nat\n" >>$DIR/ip6tables-list
/sbin/ip6tables -t nat -L -v --line-numbers -n >> $DIR/ip6tables-list
echo -e "\n## table mangle\n" >>$DIR/ip6tables-list
/sbin/ip6tables -t mangle -L -v --line-numbers -n >> $DIR/ip6tables-list
echo -e "\nEND of ip6tables list\n" >> $DIR/ip6tables-list
date > $DIR/ebtables-list
[ -x /sbin/ebtables ] && /sbin/ebtables -Ln >> $DIR/ebtables-list
echo -e "\nEND of ebtables list\n" >>$DIR/ebtables-list
# The following adds the configs that iptables would use if I used installed iptables and used it in lieu of firewalld
/sbin/iptables-save > $DIR/saved_iptables_config
/sbin/ip6tables-save > $DIR/saved_ip6tables_config
# If you have set up the traditional iptables configs the following could be added to the script
[ -f /etc/sysconfig/iptables ] && ( /bin/cp -u /etc/sysconfig/iptables $DIR/iptables-DEFAULT )
[ -f /etc/sysconfig/ip6tables ] && (/bin/cp -u /etc/sysconfig/ip6tables $DIR/ip6tables-DEFAULT )
# The following adds my defined "work" zone to the output
date > $DIR/firewalld-zones
firewall-cmd --list-all-zones >>$DIR/firewalld-zones
echo -e "\nEND of firewalld-zones\n" >>$DIR/firewalld-zones
echo -e "\nDetailed xml of work zone\n(source: /etc/firewalld/zones/work.xml)\n">>$DIR/firewalld-zones
cat /etc/firewalld/zones/work.xml >>$DIR/firewalld-zones
date >$DIR/Connections
/usr/bin/netstat -tlpn >> $DIR/Connections
Of course YMMV, sorry I wrote so much.