firewalld config

On a system with one network interface, I want to allow certain services from particular addresses or ranges, without writing a bunch of rich rules. How can I add, say, freeipa-ldap but only from some addresses while allowing ssh from others and allowing https (part of freeipa-ldap) from yet others? This would be trivial with just plain old iptables, but firewalld seems to be extremely limited or poorly documented.