Two possible solutions can be applied based on your CentOS version.
CentOS 7 & 8
CentOS 8.5 & Later
You could also use firewalld’s new output policy filters to match TFTP to the helper: firewall-cmd –permanent –new-policy tftp-client-data firewall-cmd –permanent –policy tftp-client-data –add-ingress-zone HOST firewall-cmd –permanent –policy tftp-client-data –add-egress-zone ANY firewall-cmd –permanent –policy tftp-client-data –add-service tftp firewall-cmd –reloadBy matching the outgoing traffic to the TFTP conntrack helper in the aforementioned fix, this issue is resolved and the incoming state match for “related and established” traffic later recognizes the TFTP server’s reply as being permitted in the firewall.