While I'm a long-time iptables user I will be the first to admit it is terribly difficult to work with. If you are starting from scratch firewall-cmd makes a lot of sense, just like realmd greatly simplifies the bind process to Active Directory. It's good to know the underpinnings, but the bottom line is I need to get stuff done fast. To be honest, I very rarely dumping in iptables commands directly these days. It's almost always done through puppet or copy/pasting to /etc/sysconfig/iptables for one-off's pre RHEL 7. I've been using it for years but I doubt I could crank out a good webserver firewall config with appropriate logging/rate-limiting without looking up most of it. Almost everything is abstracted into syntax for config management engines like puppet now. I'm a fan of progress even if it's a bit of a headache at first. But the most frustrating part of RHEL 7 has been the dramatic changes in syntax for pretty much every core process I do on a daily basis (systemd, firewalld, etc). For better or worse they are here to stay. -Iain On Thu, Oct 30, 2014 at 9:14 AM, Marko Vojinovic <vvmarko at gmail.com> wrote: > On Thu, 30 Oct 2014 14:04:32 +0000 > Always Learning <centos at u62.u22.net> wrote: >> >> The order of rules in any IPtables table is pure common sense and very >> logical. Essentially, the first rule is the first action. The second >> rule is the second action etc. > > Sure, I do know how it works. :-) However, the iptables requires me to > think about it when specifying -I or -A every time I modify the rules. > My beef is that in most situations I don't really need to be bothered > with that --- if I want to open a http port, the machine should be the > one to figure out where to put the rule. I want to be bothered with > rule order only when I am doing something complicated enough, not for > every firewall modification. > >> The firewall-cmd syntax appears to me to be dumbing-down and >> de-skilling. It hides the technical information behind the command, to >> the detriment of the technical user. > > I'd say that the vast majority of users never actually need to > see that technical information. Most server deployments are > standardized, and the user just wants to say "I have http, ssh, > openvpn, dhcp... services running on this machine, open appropriate > ports". Only the more intricate configurations should require a > learning curve. > > You seem to be pushing the argument that we should give up Office > suites and force the user to write everything in TeX, since it is more > powerful and exposes a lot more technical details to the user. But TeX > comes with a steep learning curve, and the vast majority of people > don't really need it. Similarly, C is far more powerful then, say, > Phyton or a bash script, so should we do all our scripting in C? > > I have a feeling that RedHat has some internal statistics coming from > customer support channels, and that in 99% of the cases the question is > "how do I open a firewall port for httpd", while only in 1% of the > cases the question is "I'm masquerading a subnet from one LAN, while I > want trusted access for three machines from another LAN, but only > through a customized sshd port, while everything else should go as > usual, except for mail originating from a local server...". So the idea > is to adapt the firewall-cmd tool for the most common usecases, and not > requre them to touch stuff "under the hood" for simple tasks. > > People who need complicated setups can either learn how to achieve that > using firewall-cmd itself, or shut down firewalld and configure > iptables manually. But this should be an exception, rather than a > rule, IMHO. > >> In IPtables >> >> -A 4web -p tcp --dport 81 -j ACCEPT >> >> In firewall-cmd >> >> firewall-cmd --add-service=http >> >> but that refers to port 80. > > firewall-cmd --add-port=81/tcp > > Look at the examples section of "man firewall-cmd". :-) > >> Hence IPtables is a lot more flexible. The >> contrast is like playing a piano without gloves and then wearing >> boxing gloves - the precision has vanished. > > Running httpd on port 81 is not really common, since all > real-world clients are expecting it on to be on port 80. Besides, I > haven't came across a configuration which can be achieved via iptables > but not via firewall-cmd (though that doesn't mean that such a config > doesn't exist). IMO firewall-cmd and iptables are fairly equivalent in > expressive power, while the former is easier to use in most common > situations. So precision is not lost, should you require it. But in > most cases you don't really need it. > >> An informed user derives more from his computer system than someone >> who uses the 'dumb-down' simplified pre-packaged alternative - >> especially when there is a problem. > > I have a feeling that it's just the case of lazy sysadmins who don't > want to bother reading the man page for firewall-cmd. They seem to be > the ones who are not informed. Moreover, the lockdown and panic options > seem to be an improvement in functionality, which does not exist if you > only use iptables. There might also be other functionality upgrades, I > haven't studied firewalld in detail yet. > > Best, :-) > Marko > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos -- -- - Iain Morris iain.t.morris at gmail.com