On Fri, Oct 31, 2014 at 02:42:03AM +0000, Always Learning wrote: > Assuming the IPtables firewall is logically designed, it is very easy to > see exactly where you need to place the command. Your wish to delegate a > simple placement to the software suggests you are not well familiar with > the design and construction of your IPtables firewall. firewalld is > probably ideal for you, but I perfect the precision and flexibility of > IPtables (perhaps because I am an assembler programmer at heart) If you manage your systems through a configuration manage system like puppet, chef or bcfg2, managing the monolithic /etc/sysconfig/iptables is a pain. I ended up templating it, and having various group memberships define how the file is created from the template. One of the features firewalld brings is being able to place different configuration parts into separate files, to be incorporated into the firewall dynamically. This is a dev web host? It gets a zone letting only the developers access httpd. This other system is a production mysql server? Define the zone allowing the production application servers access to the mysql port. Have each configuration bundle that defines a service drop in a service definition. -- Jonathan Billings <billings at negate.org>