If you are not familar with firewalld and the firewall-cmd, check out our Getting Started article.
If the firewall is not locked down, services may be able to make changes to the firewall. The firewall can be locked down.
~]# firewall-cmd --lockdown=on
You will no longer be able to add a service to the firewall.
~]# firewall-cmd --add-service=dhcp --permanent Error: ACCESS_DENIED: lockdown is enabled
Issue this command so that only you can modify the firewall. Reload the firewall, and you will again be able to modify the firewall.
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/firewall-cmd*' --permanent