Tootfinder

next #firewalld oddity; you can't use 'firewall-cmd' when firewalld is stopped (like configuring a rootfs not yet booted), but it has got 'firewall-offline-cmd' that lets you do it - except the options are sometimes different; e.g.
firewall-cmd --zone=external --remove-service ssh --permanent
becomes
firewall-offline-cmd --zone=external --remove-service-fro…

A thread dumping some (non-obvious?) notes about #firewalld - I think I've got it doing what I want, but it's been a bit of a fight, and I made a bunch of wrong turns.
It's a layer on top of nftables or iptables; is XML based but you can just drive it from a command line tool firewall-cmd and avoid the XML.
It's main idea is a graph of 'zones' where a 'zo…