I suppose that depends on what you mean by cryptic. Is it the syntax
of
the commands that you don't understand, or the functions that a rule
needs?
Actually, the most cryptic thing isn't any individual command
(though they can certainly be cryptic too), it is the need to
actually understand the obscure inner workings of internet
protocols to realize there are rules you need beyond the
obvious.
Anyway, I think I came up with something that works by using
system-config-firewall to build some rules that do part of
what I want, then modifying those rule to add the more obscure
packet filtering the gui doesn't really directly support.