This is in response to some mailing list discussion about how firewalld can eventually completely supplant the existing scripts to load static iptables configuration. It's ideal to have just one code path in the distribution for critical services like this. Eventually, we don't want to have to tell people "oh, to do what you want, remove firewalld and install this other thing". So: Firewalld should have a "direct-only" mode. When that mode is enabled, it will load a static script from from /etc/sysconfig/iptables on launch, and respond to any commands other than the "direct" api with an "in direct-only mode" error. Then, firewalld-aware applications could choose to raise a user error or to go to whatever fallback they have. Without this, some applications which choose to use firewalld will probably eventually make it a hard requirement, and life will become very difficult for people who need to take a different approach.