How to restrict access to port from specific source IP

firewall-cmd --permanent --zone=public --add-rich-rule='
  rule family="ipv4"
  source address="10.109.10.10/32"
  port protocol="tcp" port="3000" accept'
cat /etc/firewalld/zones/public.xml
firewall-cmd --reload