Centos 7 firewall-cmd settings not persisting

Question

I have decided to do a bit of spring cleaning, and am doing a refresh of some of my underlying infrastructure.

One of the critical components I am overhauling is the Network Gateway server. I updated my Test Environment (which is an identical, but lower power copy of my Production Environment), and all worked well, but when I applied the same to my Production system, the firewall-cmd rules do not persist between reboots.

I have to run the following commands at startup:

# firewall-cmd --remove-interface=eth0 --zone=public
# firewall-cmd --remove-interface=eth1 --zone=public
# firewall-cmd --remove-interface=eth0 --zone=public --permanent
# firewall-cmd --remove-interface=eth1 --zone=public --permanent
# firewall-cmd --add-interface=eth0 --zone=external
# firewall-cmd --add-interface=eth1 --zone=internal
# firewall-cmd --add-interface=eth0 --zone=external --permanent
# firewall-cmd --add-interface=eth1 --zone=internal --permanent
# firewall-cmd --complete-reload

At which point normal service is resumed. When I run # firewall-cmd --list-all-zones after reboot, both of the interfaces have left the internal and external zones, and have returned to the public zone.

Can someone shed some light on why these settings are not persisting?

Answer 1

Changes made with firewall-cmd are only persistent when you (also) make them persistent with --permanent...

man firewall-cmd

--permanent
The permanent option --permanent can be used to set options permanently. These changes are not effective immediately, only after service restart/reload or system reboot. Without the --permanent option, a change will only be part of the runtime configuration.
...
If you want to make a change in runtime and permanent configuration, use the same call with and without the --permanent option.