I’m guessing the lack of useful examples for nearly anything firewalld-related is a testament to how few people use it; ugh. Anyway, had a customer server that had a malfunctioning application on it, sending hundreds of emails per minute. However, there were other apps on it that send legit emails via SMTP to localhost, so disabling the mail server while trying to get the app developer to fix the code was not an option. Quick and simple solution would be to simply block outbound destination port 25, so that locally generated email still gets queued, and later when the app is fixed, clear the queue of the errant emails, remove the port block and let anything else get delivered remotely.

Not quite sure why it was so difficult, but finding example of using firewalld to block outbound traffic, let alone to a specific port, was hard to come by. The following is what I came up with:

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp -d 127.0.0.1 --dport=25 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport=25 -j REJECT
firewall-cmd --reload

and for IPv6:

firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -p tcp -m tcp -d ::1 --dport=25 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 -p tcp -m tcp --dport=25 -j REJECT
firewall-cmd --reload

To un-do them, just change add-rule to remove-rule, and re-run the firewall-cmd –reload.