Nope. We definitely are not. The 521 error indicates that Cloudflare is not receiving a response from your server. Right now that is all we know. In order to troubleshoot that you need to send traffic through Cloudflare and check all the spots where it could get disrupted. Since the OS firewall is logically between Cloudflare and your webserver application, it makes sense to check it for signs of traffic passing or being rejected before moving on to the check web server itself.
How are you managing the OS firewall? Where are you logging firewall activity? Are you running additional tools that interact with the firewall, such as fail2ban or ufw?