opening up a port on centos 7 firewall (using firewalld)

There I was on an AWS hosted node trying to access port 2181 and 9092 on another AWS node where I just followed the instructions at http://kafka.apache.org/documentation/#quickstart to get a stand-alone instance of Kafka running.  After some exceptions that suggested I could not reach these ports, I fell back to trusty old telnet to verify that was problem.

[root@ip-172-xxx-xxx-86 kafka]# telnet kafka 22
Trying 172.xxx.xxx.45...
Connected to kafka.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.6.1
^C
Connection closed by foreign host.
[root@ip-172-xxx-xxx-86 kafka]# 
[root@ip-172-xxx-xxx-86 kafka]# telnet kafka 2181
Trying 172.xxx.xxx.45...
telnet: connect to address 172.xxx.xxx.45: No route to host
[root@ip-172-xxx-xxx-86 kafka]# 

Yep, "no route to host"!!  After double-checking that these two AWS hosts should be able to talk to each other on these ports it seemed logical that the box's firewall might be "helping" me out.  I quickly found out that with CentOS 7, we've moved away from iptables and to firewalld.  Thankfully, man firewall-cmd was there to help me out.  I just needed to add these two ports and the following commands show what the configuration looked like before and after I made these mods.

[root@ip-172-xxx-xxx-45 kafka_2.11-0.10.1.0]# firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh vnc-server
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 


[root@ip-172-xxx-xxx-45 kafka_2.11-0.10.1.0]# firewall-cmd --permanent --zone=public --add-port=2181/tcp
success
[root@ip-172-xxx-xxx-45 kafka_2.11-0.10.1.0]# firewall-cmd --permanent --zone=public --add-port=9092/tcp
success
[root@ip-172-xxx-xxx-45 kafka_2.11-0.10.1.0]# firewall-cmd --reload
success
[root@ip-172-xxx-xxx-45 kafka_2.11-0.10.1.0]# firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh vnc-server
  ports: 2181/tcp 9092/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

[root@ip-172-xxx-xxx-45 kafka_2.11-0.10.1.0]# 

Then I was "cooking with bacon" as telnet shows!

[root@ip-172-xxx-xxx-86 ~]# telnet kafka 2181
Trying 172.xxx.xxx.45...
Connected to kafka.
Escape character is '^]'.
^CConnection closed by foreign host.
[root@ip-172-xxx-xxx-86 ~]# telnet kafka 9092
Trying 172.xxx.xxx.45...
Connected to kafka.
Escape character is '^]'.
^CConnection closed by foreign host.
[root@ip-172-xxx-xxx-86 ~]# 

More importantly, I could not connect to this novel Kafka configuration I was using for some testing.

[root@ip-172-xxx-xxx-86 kafka]# bin/kafka-console-consumer.sh --zookeeper kafka:2181 --topic lestertester --from-beginning
Now is the time for all good men to come to the aid of their country.
 Now is the time for all good men to come to the aid of their country.
  Now is the time for all good men to come to the aid of their country.
^CProcessed a total of 3 messages
[root@ip-172-xxx-xxx-86 kafka]# 

Good luck on your use of CentOS 7's firewalld and don't forget to consult your friendly man page as needed.