On Thu, October 30, 2014 9:42 pm, Always Learning wrote: > > On Thu, 2014-10-30 at 16:14 +0000, Marko Vojinovic wrote: > >> Sure, I do know how it works. :-) However, the iptables requires me to >> think about it when specifying -I or -A every time I modify the rules. > > When I set-up a server, I devise the rules and the sub-systems that > interface with IPtables and rarely change anything, except to empty > (flush) the blocked IPs in the monthly banned table. > > Adding an extra facility is usually quick and easy. I know what I want > and I instinctively know where I want the -I. Rarely do I use -A on an > established table. > > IPtables is flexible, efficient and effective. > >> My beef is that in most situations I don't really need to be bothered >> with that --- if I want to open a http port, the machine should be the >> one to figure out where to put the rule. > > Assuming the IPtables firewall is logically designed, it is very easy to > see exactly where you need to place the command. Your wish to delegate a > simple placement to the software suggests you are not well familiar with > the design and construction of your IPtables firewall. firewalld is > probably ideal for you, but I perfect the precision and flexibility of > IPtables (perhaps because I am an assembler programmer at heart) > >> You seem to be pushing the argument that we should give up Office >> suites and force the user to write everything in TeX, since it is more >> powerful and exposes a lot more technical details to the user. > > No. Writing letters and playing with spreadsheets should be done with > Libre Office. > >> But TeX >> comes with a steep learning curve, and the vast majority of people >> don't really need it. Similarly, C is far more powerful then, say, >> Phyton or a bash script, so should we do all our scripting in C? > > Use the best and most convenient tools relevant to the task. I use PHP > for most programming work. > >> Running httpd on port 81 is not really common, since all >> real-world clients are expecting it on to be on port 80. > > It was an illustration of using http on a non-standard port. Very easy > to do in IPtables. I have nothing running on 81. > > Time is finite. Having leant much, but not all, about IPtables I am > reluctant to learn firewalld just to do what I can already do, > elegantly, in IPtables. > >> I have a feeling that it's just the case of lazy sysadmins who don't >> want to bother reading the man page for firewall-cmd. > > Why waste time and energy learning a different and unappealing method to > do exactly what I can do already in IPtables ? Yes, and after all they both are the front end to the same kernel module... Valeri > > Best wishes. > > An IPtables Fan :-) > > > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos