https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7

Example

<?xml version="1.0" encoding="utf-8"?>
<service>
                <short>Mobile shell that supports roaming and intelligent local echo.</short>
                <description>Mosh is a remote terminal application that supports intermittent network connectivity, roaming to different IP address without dropping the connection, intelligent local echo and line editing to reduct the effects of "network lag" on high-latency connections.</description>
                <port protocol="udp" port="60000-61000"/>
</service>

Enable

firewall-cmd --reload
firewall-cmd --add-service=mosh
firewall-cmd --add-service=mosh --permanent

trust a full zone

firewall-cmd --zone=trusted --add-interface=tun0

add single ports

firewall-cmd --add-port=2376/tcp --permanent
firewall-cmd --add-port=2377/tcp --permanent
firewall-cmd --add-port=7946/tcp --permanent
firewall-cmd --add-port=7946/udp --permanent
firewall-cmd --add-port=4789/udp --permanent
firewall-cmd --reload