I hadn't heard of this before. Reading about it a bit it feels like the worst of both worlds. Doesn't this mean you need to know firehole to create your firehol config AND know iptables to inspect what's actually applied?
Maybe, I really hadn't thought about it that way... but it's a lot easier to write rules though unless you're doing something weird (like ripping a packet apart to look at a particular byte offset). I used to write my own iptables scripts but that got quite tedious.
