If you have a system with one network interface, and you want to allow ssh from some addresses, freeipa-ldap from others, and https (which is part of freeipa-ldap) from another one; and you do not want to have a sea of rich rules... how do you do that?
I can't tell if firewalld is just really poorly documented or very limited. I am sorely tempted to disable it and just use good ol' iptables, but I don't like the kneejerk "Just disable it!" attitude, partly because one day there'll be something that you have to do "the new way", and you'll be far behind the curve.
Firewalld implements a zone concept. To allow access to services based on the source address, just create a new zone, add source addresses and services to the zone and you are done.
Here is an example.
First we create a new zone named test
firewall-cmd --permanent --new-zone=test
This new zone shall be effective for source in the 10.100.250.0/24 address range