digging deeper and looking at the jail for apache say i see it's set with
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
which means it will use iptables - which i'm not running so can i just amend that to the action required for firewalld
There must be someone else...