sorry for that question, but i seem not to get it.
I want to block all outgoing traffic and allow it manualy.
So far so good. I made rules for green clients to red network.
But the problem are the internal DOT-Servers, they can not go outside.
So i made rules for them:
from red firewall with source nat for red to the ip of the dns with the 853 tcp port (source port something like 53625)
But it has no effect, drop_output in the log to the dns servers