Shorewall and Ferm are in my opinion the only two serious iptables frontends out there that you can trust on your servers. And yes, you want a frontend, because they make life easier, are more manageable, produce more readable configs and most important allow you to focus on your firewall design rather than the implementation. And with regard to that it's more likely that someone who has spent many years working with itpables knows better than you how to implement it. Besides if you have anything more complex than deny-everything-in/allow-everything-out, you will end up with some sort of framework to make things more manageable, in short build another, probably less featured, frontend. Obviously there are cases where you know what you're doing and you might need/benefit from direct iptables usage, but they are, or should be reduced to, very few. One of this is dynamic addition or removal of rules at runtime, or so I thought. more »