Awesome job, this helped me go down the right path, I appreciate the post.
The only thing I noticed is that I believe that the location for LogDenied=all should be /etc/firewalld/firewalld.conf since /etc/sysconfig/firewalld is for startup command line options. Additionally the file for rsyslog might be better named with a .conf, sometimes default include statements might not look for a .log file.
Really good job VanagaS!
ref:https://firewalld.org/documentation/man-pages/firewalld.conf.html