firewalld: blocking outgoing connections blocks also incomming connections

Solution 1:

I'm just spinning up an instance to test, but I suspect it's because you're not allowing related/established outbound rules as well, so the kernel is killing your existing connections.

Update: I'm sure this is the problem. I just tested it by booting Centos 7 on an EC2 instance, installing FirewallD, and then pasting in your first rule without the permanent flag. All working okay.

As soon as I pasted in the DROP rule, I got disconnected.

In the link you provided, the first rule they add is an ESTABLISHED,RELATED rule. This means that connections that are allowed in are allowed out (so the firewall is stateful). Without that rule, you have no stateful rules and your SSH connection can't establish.

So your actual list of rules needs to be:

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 53 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 2 -j DROP

Note I've included HTTP, HTTPS, and DNS as well - else connections won't establish to DNS names because the server won't be able to resolve them...