On Thu, 2014-10-30 at 16:14 +0000, Marko Vojinovic wrote: > Sure, I do know how it works. :-) However, the iptables requires me to > think about it when specifying -I or -A every time I modify the rules. When I set-up a server, I devise the rules and the sub-systems that interface with IPtables and rarely change anything, except to empty (flush) the blocked IPs in the monthly banned table. Adding an extra facility is usually quick and easy. I know what I want and I instinctively know where I want the -I. Rarely do I use -A on an established table. IPtables is flexible, efficient and effective. > My beef is that in most situations I don't really need to be bothered > with that --- if I want to open a http port, the machine should be the > one to figure out where to put the rule. Assuming the IPtables firewall is logically designed, it is very easy to see exactly where you need to place the command. Your wish to delegate a simple placement to the software suggests you are not well familiar with the design and construction of your IPtables firewall. firewalld is probably ideal for you, but I perfect the precision and flexibility of IPtables (perhaps because I am an assembler programmer at heart) > You seem to be pushing the argument that we should give up Office > suites and force the user to write everything in TeX, since it is more > powerful and exposes a lot more technical details to the user. No. Writing letters and playing with spreadsheets should be done with Libre Office. > But TeX > comes with a steep learning curve, and the vast majority of people > don't really need it. Similarly, C is far more powerful then, say, > Phyton or a bash script, so should we do all our scripting in C? Use the best and most convenient tools relevant to the task. I use PHP for most programming work. > Running httpd on port 81 is not really common, since all > real-world clients are expecting it on to be on port 80. It was an illustration of using http on a non-standard port. Very easy to do in IPtables. I have nothing running on 81. Time is finite. Having leant much, but not all, about IPtables I am reluctant to learn firewalld just to do what I can already do, elegantly, in IPtables. > I have a feeling that it's just the case of lazy sysadmins who don't > want to bother reading the man page for firewall-cmd. Why waste time and energy learning a different and unappealing method to do exactly what I can do already in IPtables ? Best wishes. An IPtables Fan :-)