On Thu, 30 Oct 2014 03:56:58 +0000 Always Learning centos@u62.u22.net wrote:
iptables -A table-name -p tcp --dport 80 -j ACCEPT
No reboot needed. 'table-name' can be INPUT or another user defined table name.
firewall-cmd with its Windoze-like structure and syntax is definitely unappealing to many normal firewall users.
If you compare the syntax of the two equivalent commands,
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
and
firewall-cmd --add-service=http
I'd say that the second one appears simpler, more readable, more intuitive, and less sensitive to typos. No reboot is required for either. I fail to see what is so unappealing to a user in the second one. I don't know who is a "normal firewall user". Finally, I don't see any Windows-like syntax in the second one (AFAIK, Windows doesn't have any syntax, you need to click your way through menus and checkboxes and stuff to tweak the firewall in Windows).
Incidentally, since I started using Linux I have always found iptables to have a very user-unfriendly syntax. Whenever I needed to tweak the firewall, I had to look up the man page for iptables, in order to make sure I don't screw myself over between -A and -I, -N and -n, -P and -p, etc. It was a royal pain having to pay attention to the order of the rules in the table. It was stupid having to look up explicit port numbers for common services. Various GUIs and TUIs of the time only added a whole new level of obscurity.
So I find the firewall-cmd syntax to be a major step forward wrt to iptables. At least for the vast majority of common usecases.
And no, I am not a novice user from Windowsland --- I've been Linux-only since RedHat 6.2 (Zoot), back in the previous millennium... ;-)
Best, :-) Marko