firewalld howto?

[Andy Blanchard]

I'm in a similar boat to Neal.  I want to look into migrating from
IPTables to FirewallD before I'm forced too, but the documentation out
there seems to be woefully inadequate so far.  As far as I can tell
the functionality isn't much better for my needs, but that might just
be a symptom of the documentation.

My current situation is that I run a few public facing daemons on a
box behind a separate physical firewall that allows the necessary
traffic through and blocks the rest.  I then use IP Tables to provide
extensive (several hundred rules worth) filtering of traffic to the
services on the box.  I also have a second ruleset that I enable when
I am away from home that enables a few other services for external
remote access that I keep disabled otherwise, and switch back and
forth with "iptables-restore < /etc/sysconfig/{ruleset file}" as
required.

I understand what each of the zones do and I've worked out how the
rules can be tweaked to support non-standard ports and so on - all the
basic stuff is fine.  For the life of me, however, I can't figure out
how tell FirewallD about my multiple subnets in some of the zones, to
include my lengthy sequences of white/black list rules and several
other aspects of the configuration without using "--direct".
Furthermore there does not seem to be a way of feeding "--direct" a
bunch of rules in a file; it looks like it has to be done line by
line, which is going to make management of complex firewall rulesets
horrific if so.

So, what am I missing?  Is there any recommended way for providing a
human editable ruleset file for FirewallD, or are we really back to
writing lengthy custom scripts like the early days of IP Chains only
with the added complication of having to parse XML config files?  Some
pointers to any further reading than the wiki at fedoraproject.org
would be greatly appreciated!

--
Andy

The only person to have all his work done by Friday was Robinson Crusoe