Pretty much. It's basically a front-end for netfilter, which is actually what iptables is -- a way for the user/admin to interact with netfilter.
It's also an overly complex pain in the ass, IMO (but I've already dealt with ipfwadm -> ipchains -> iptables and not excited about having to learn yet another way to do it).
I think firewalls basically come down to matching a packet against an n-tuple of attributes and taking an indicated action. This is an oversimplification but this is how it looks when you view the rules.
I think that can potentially be expressed very simply and consistently with a basic grammar. You could still keep the concept of zones, which are a useful abstraction. Learning and applying something like that would be much quicker for me personally, because I don't normally work with it, and when I do, I just need something that gets the job done so I can move on.
UFW comes close, but it's use cases are limited and the syntax is not consistent - it changes based on what attributes you are matching.
Yep, ufw works well for relatively simple use cases. I've always written my rulesets by hand (since ipfwadm) -- even for ASAs and SSGs and so on -- and prefer to. When I started using Ansible, however, I started looking for an easier way and have since switched to using ufw on all Ansible-managed (RHEL/CentOS) publicly-accessible hosts.
I tried using firewalld (on RHEL/CentOS) since that's now the "official way" but I just had too many issues, said "f--k it", and gave up on it. Mostly I didn't like that it tried to be helpful and auto-create certain rules (that I didn't need nor want) but I also had issues with it not respecting the ordering of my rules. Creating a "raw" iptables ruleset (one that can be loaded with iptables-restore) gives me complete control over my firewall rules -- and that's what I want.
