Comment # 28 on bug 1160068 from Dario Faggioli

(In reply to jean-christophe baptiste from comment #27)
> (In reply to Ferdinando Vivacqua from comment #26)
> > It doesn't work for me.
> > I fixed with iptables -A OUTPUT -p tcp --destination-port 8008 -j DROP
> > iptables -A OUTPUT -p tcp --destination-port 8009 -j DROP
> 
> It does and it's the right way to manage rules in the default settings. It's
> just that you have not reloaded firewalld (or rebooted). You should have
> searched a bit because it's not a help forum.
>
Mmm... Interestingly, I did this:

# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port port="8009"
protocol="tcp" reject'
success
# firewall-cmd --reload 
success
# firewall-cmd --list-all
home (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp58s0
  sources: 
  services: dhcpv6-client mdns samba-client ssh syncthing syncthing-gui
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" port port="8009" protocol="tcp" reject

(note that there was a typo in your rule: "family=tcp" needs to be
"family=ipv4", I think)

But I can still connect:

$ telnet portquiz.net 8008
Trying 52.47.209.216...
Connected to portquiz.net.
Escape character is '^]'.
^]

OTOH, this:

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m
tcp --dport=8008 -j DROP
success
# sudo firewall-cmd --reload 
success
# firewall-cmd --direct --get-all-rules
ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=8008 -j DROP

Works for me:

$  telnet portquiz.net 8008
Trying 52.47.209.216...