While I'm a long-time iptables user I will be the first to admit it is
terribly difficult to work with. If you are starting from scratch
firewall-cmd makes a lot of sense, just like realmd greatly simplifies
the bind process to Active Directory.
It's good to know the underpinnings, but the bottom line is I need to
get stuff done fast. To be honest, I very rarely dumping in iptables
commands directly these days. It's almost always done through puppet
or copy/pasting to /etc/sysconfig/iptables for one-off's pre RHEL 7.
I've been using it for years but I doubt I could crank out a good
webserver firewall config with appropriate logging/rate-limiting
without looking up most of it. Almost everything is abstracted into
syntax for config management engines like puppet now.
I'm a fan of progress even if it's a bit of a headache at first. But
the most frustrating part of RHEL 7 has been the dramatic changes in
syntax for pretty much every core process I do on a daily basis
(systemd, firewalld, etc). For better or worse they are here to stay.
-Iain
On Thu, Oct 30, 2014 at 9:14 AM, Marko Vojinovic <vvmarko@xxxxxxxxx> wrote:
> On Thu, 30 Oct 2014 14:04:32 +0000
> Always Learning <centos@xxxxxxxxxxx> wrote:
>>
>> The order of rules in any IPtables table is pure common sense and very
>> logical. Essentially, the first rule is the first action. The second
>> rule is the second action etc.
>
> Sure, I do know how it works. :-) However, the iptables requires me to
> think about it when specifying -I or -A every time I modify the rules.
> My beef is that in most situations I don't really need to be bothered
> with that --- if I want to open a http port, the machine should be the
> one to figure out where to put the rule. I want to be bothered with
> rule order only when I am doing something complicated enough, not for
> every firewall modification.
>
>> The firewall-cmd syntax appears to me to be dumbing-down and
>> de-skilling. It hides the technical information behind the command, to
>> the detriment of the technical user.
>
> I'd say that the vast majority of users never actually need to
> see that technical information. Most server deployments are
> standardized, and the user just wants to say "I have http, ssh,
> openvpn, dhcp... services running on this machine, open appropriate
> ports". Only the more intricate configurations should require a
> learning curve.
>
> You seem to be pushing the argument that we should give up Office
> suites and force the user to write everything in TeX, since it is more
> powerful and exposes a lot more technical details to the user. But TeX
> comes with a steep learning curve, and the vast majority of people
> don't really need it. Similarly, C is far more powerful then, say,
> Phyton or a bash script, so should we do all our scripting in C?
>
> I have a feeling that RedHat has some internal statistics coming from
> customer support channels, and that in 99% of the cases the question is
> "how do I open a firewall port for httpd", while only in 1% of the
> cases the question is "I'm masquerading a subnet from one LAN, while I
> want trusted access for three machines from another LAN, but only
> through a customized sshd port, while everything else should go as
> usual, except for mail originating from a local server...". So the idea
> is to adapt the firewall-cmd tool for the most common usecases, and not
> requre them to touch stuff "under the hood" for simple tasks.
>
> People who need complicated setups can either learn how to achieve that
> using firewall-cmd itself, or shut down firewalld and configure
> iptables manually. But this should be an exception, rather than a
> rule, IMHO.
>
>> In IPtables
>>
>> -A 4web -p tcp --dport 81 -j ACCEPT
>>
>> In firewall-cmd
>>
>> firewall-cmd --add-service=http
>>
>> but that refers to port 80.
>
> firewall-cmd --add-port=81/tcp
>
> Look at the examples section of "man firewall-cmd". :-)
>
>> Hence IPtables is a lot more flexible. The
>> contrast is like playing a piano without gloves and then wearing
>> boxing gloves - the precision has vanished.
>
> Running httpd on port 81 is not really common, since all
> real-world clients are expecting it on to be on port 80. Besides, I
> haven't came across a configuration which can be achieved via iptables
> but not via firewall-cmd (though that doesn't mean that such a config
> doesn't exist). IMO firewall-cmd and iptables are fairly equivalent in
> expressive power, while the former is easier to use in most common
> situations. So precision is not lost, should you require it. But in
> most cases you don't really need it.
>
>> An informed user derives more from his computer system than someone
>> who uses the 'dumb-down' simplified pre-packaged alternative -
>> especially when there is a problem.
>
> I have a feeling that it's just the case of lazy sysadmins who don't
> want to bother reading the man page for firewall-cmd. They seem to be
> the ones who are not informed. Moreover, the lockdown and panic options
> seem to be an improvement in functionality, which does not exist if you
> only use iptables. There might also be other functionality upgrades, I
> haven't studied firewalld in detail yet.
>
> Best, :-)
> Marko
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
--
-- -
Iain Morris
iain.t.morris@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
