[CentOS] firewalld being stupid

Tue Nov 17 14:21:39 UTC 2015
Jonathan Billings <billings at negate.org>

On Tue, Nov 17, 2015 at 09:18:22AM -0500, James B. Byrne wrote:
> This behaviour is congruent with SELinux. One utility adjusts the
> permanent configuration, the one that will be applied at startup.
> Another changes the current running environment without altering the
> startup config.  From a sysadmin point of view this is desirable since
> changes to a running system are often performed for empirical testing.
> Leaving ephemeral state changes permanently fixed in the startup
> config could, and almost certainly would eventually, lead to serious
> problem during a reboot.
> Likewise, immediately introducing a state change to a running system
> when reconfiguring system startup options is just begging for an
> operations incident report.

Another possible reason is because when you're setting up firewalld,
you might want to batch a bunch of changes with --permanent, then,
once you've added them all, *then* you restart firewalld to pick up
the changes.  Having the firewall restart after *every* permanent
change you want to make would leave the system's firewall bouncing up
and down.

Jonathan Billings <billings at negate.org>