Is There No Way To Make Firewalld More User-Friendly?

[48Laws]

The Firewall daemon is a great improvement over iptables.
But here, I'm going to sum up what I feel ought to be part of its makeup.

Yesterday, I configured a system, started/enabled the Firewall daemon. Having configured and whitelisted services and usual/custom ports on all the servers under our control, I completely forgot that the machine I was dealing with, wasn't part of that process.

Assumption .... bad. Real bad when you are dealing with machines.

And then with 3 Terminals open, I absent-mindly & without thinking ran systemctl reboot. Voila ... accessing the machine became impossible. By the way, SELinux is disabled.

That got me thinking.

Now, I know I'm way over my head on this but I know that those of you who we look up to, can assess whether what I'm going to say make sense or not.

If it make sense, please consider adding this a feature to the Firewalld.

If it doesn't, please point out to me, the errors in my thought.

Isn't there is a way to make Firewall daemon to look up authorized keys?

if the local machine wishing to access the remote machine has valid keys, allow it access so he or she can correct whatever mistake was made.

To take stolen machines into consideration,

if such local machine fail to properly authenticate on the remore machine after 7 attempts, lock up as usual.


Regarding my unenviable situation, apart from booting this system into Rescue Mode to see if this can be salvaged in anyway, I may have to rebuilt this machine from scratch because of this carelessness.

I would be more than glad to drink from the fountain of those who are Masters in this craft. Please offer me your wisdom.

Thank you!!!

[gerald_clark]

CentOS does not make changes.
You need to make your suggestions to RHEL.

[TrevorH]

The openssh daemon already validates openssh keys. Firewalld manages iptables rules and to validate a key it would have to allow the connection, examine the key and only then would it know enough to add a new iptables rule to block the connection. Not impossible but things like fail2ban already do this sort of thing. Better to configure openssh to only accept keys and refuse passwords and then it already does what you want it to do.