Hi
I found your reply irrelevant. I just want to limit output access of myserver to other servers.
in the /etc/firewalld/zones/iredmail.xml path services is defined . how can I limit access like this:

sudo iptables -A INPUT  -p udp --sport 53  -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.10.10/32,192.168.10.100/32-p udp --dport 53  -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Zones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. You manage firewall rules for each zone independently, which enables you to define complex firewall settings and apply them to the traffic.

Hi, Do you mean I can not control outgoing traffic?

would you plz help me to solve this issue?

forget about output traffic, I want to control traffic. e.g. : just multiple IPS can have ssh or https access , or my mail be prohobited to have ssh access to the other servers in the same subnet. However, I found blocked ip in result of iptables -nL command, which I had blocked in iredadmin, so I can not flush iptables or firewalld configuration. In addition, fail2ban operation is integrated to firewalld and it is configured by iredmail. Therefore,I think there are somethings which is related to iredmail configuration and it can not be purely firewall knowledge.

How can I do it by firewall while they are in the same subnet?

I really dont see ANY reason to limit troughput to same subnet?
so you want to block everything outside beside port 25 and 53?

i dont see any reason to do that, if you want limits you can do so with iredapd, which works way better on a per user/per domain solution, but blocking outgoing traffic beside port 25 and 53 will likely render your system inoperable, since you cant even get updates anymore