Exclude specific port in zone forwarding

In Network > Firewall > General Settings ...
I have my LAN zone forwarding to WAN, IOT, and DMZ zones. I enabled mDNS reflector between LAN and IOT zones in /etc/avahi/avahi-daemon.conf however I want mDNS (UDP 5353) to go one-way i.e. I want to allow mDNS multicast from IOT to LAN but block mDNS multicast from LAN to IOT.
I believe my question differs from Bridging mDNS between networks in that they didn't have LAN zone forwarding to IOT in the general case. I find my zone forwarding settings quite useful in general and would like to keep them. How can I exclude port 5353 when configuring zone forwarding?

Try removing this.

I did; along with many other combinations. It didn't help.