Why firewalld doesn't apply my drop rule?

I had the same/similar issues. After hours of troubleshooting, I have the following observations.

The order of the iptables rule chain (for 'public' zone) is:

IN_public_log 
IN_public_deny
IN_public_allow

Which means that 'deny' rules are processed before 'allow' rules - so this is significant in understanding what order the rules are matched. I don't know whether this order can be changed.

I came across the same issue in that issuing a firewalld-cmd --reload did not seem to impact whether the SIP packets gets dropped or accepted, but a reboot resolved it.

However, I found the firewalld-cmd --complete-reload command and that seems to be working better - although I think this will drop any existing sessions. But at least I can get the firewalld rules changed and not have to reboot to get it to fully/properly apply.

I have also noticed that sngrep still seem to be able to capture and display the SIP message even though it is blocked, but it shows it with a msg count of 1 and there is no response message (because it was actually blocked).

UPDATE: I understand sngrep (since 0.1.0) uses libpcap - see https://github.com/irontec/sngrep/wiki. According to this post libpcap process the (inbound) packets before they get process by the 'firewall'. I assume 'firewall' in this case can also mean firewalld. See Will tcpdump see packets that are being dropped by iptables?

Note: CentOS 7 seems to come with firewalld version 0.4.4.4. The latest is 0.6.0, but I don't know how to upgrade it yet. I'm hoping the newer versions may resolve/fix the above issues.