Firewalld reject IPs on CentOS 7/8

Use rich-rule

$ firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='10.0.10.0/24' reject"

or add port
$ firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='10.0.10.0/24' port port='110' protocol='tcp' reject"

$firewall-cmd --reload

@reject dovecot postfix from external IP and accept internal IP
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port port="25" protocol="tcp" reject'

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port port="110" protocol="tcp" reject'

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port port="143" protocol="tcp" reject'

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address='192.168.0.0/16' accept'

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address='127.0.0.1' accept'

get all rules
$firewall-cmd --list-all
$firewall-cmd --permanent --direct --get-all-rules

We can also modify  firewalld xml files in /etc/firewalld as direct.xml and  /etc/firewalld/public/ (default zone)

References
https://fedoraproject.org/wiki/Features/FirewalldRichLanguage
https://access.redhat.com/discussions/1342573