mDNS - Avahi - Recommended Firewall Rules

What are some suggested firewall rule(s) should I use for when setting up Avahi for a multi-homed host, across lan, guest and iot networks?

Google tells me this, but I wanted to confirm.

 config rule
         list proto 'udp'
         option src '*'
         option src_port '5353'
         list dest_ip '224.0.0.251'
         option dest_port '5353'
         option target 'ACCEPT'
         option name 'Custom-mDNS'

I'd like avahi to be able to query devices in secure br-iot firewall zones for use in br-lan. But i don't want possible compromised devices in br-iot firewall zone to have knowledge about network devices in br-lan.

# lsof -i:5353
COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 3851 nobody   11u  IPv4   8478      0t0  UDP *:mdns