I've been using iptables for a long time, but have never used firewalld until recently. I have enabled port 3000 TCP via firewalld with the following command:

# firewall-cmd --zone=public --add-port=3000/tcp --permanent

However I can't access the server on port 3000. From an external box:

telnet 178.62.16.244 3000
Trying 178.62.16.244...
telnet: connect to address 178.62.16.244: Connection refused

There are no routing issues: I have a separate rule for a port forward from port 80 to port 8000 which works fine externally. My app is definitely listening on the port too:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
tcp        0      0 0.0.0.0:3000            0.0.0.0:*               LISTEN      99         36797      18662/node

firewall-cmd doesn't seem to show the port either - see how ports is empty. You can see the forward rule I mentioned earlier.

# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8000:toaddr=
  icmp-blocks:
  rich rules:

However I can see the rule in the XML config file:

# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <port protocol="tcp" port="3000"/>
  <forward-port to-port="8000" protocol="tcp" port="80"/>
</zone>

What else do I need to do to allow access to my app on port 3000?

Also: is adding access via a port the correct thing to do? Or should I make a firewalld 'service' for my app instead?