If you have a system with one network interface, and you want to allow ssh from some addresses, freeipa-ldap from others, and https (which is part of freeipa-ldap) from another one; and you do not want to have a sea of rich rules... how do you do that?

I can't tell if firewalld is just really poorly documented or very limited. I am sorely tempted to disable it and just use good ol' iptables, but I don't like the kneejerk "Just disable it!" attitude, partly because one day there'll be something that you have to do "the new way", and you'll be far behind the curve.

I've never used firewalld, but I have used the firewall script from the now-defunct Project Files project (he said redundantly).

Please don't take this the wrong way, but, given the multiple and diverse requirements you list, I suspect you would be in for a sea of rules regardless of the method you select for configuring iptables, as you seems to have a lake, if not a sea, of requirements.

Not really. It's pretty common to not want to expose management functions to clients. In my case, all clients should be able to hit LDAP and Kerberos, and one or two management stations should have access to the IdM GUI, and one or two to have shell access to the OS. Anyone who isn't breaking things out like that is begging for trouble.

It turns out you can point rich rules at a service instead of a port, so that helps to keep things manageable.

You might want to combined IPTABLES with IPSET. Or you could compartmentalize your rules. Without knowing how many IP Address you are talking about and what you want to allow where it's kind of hard give a good answer.

Agreed, and I understand the need for a complex ruleset in a business environement; the headlines every day point out that more businesses should give thought to this issue.

My only point was that it looked to be a relatively complex ruleset regardless of the means used to configure iptables.