How to create/allow firewall rule?

I have a custom policy:

The only way to ssh into a machine is to contact another user already logged on (first user logs on at the console), get them to open a ssh port temporarily.

Expressed differently, each logged in user is allowed to execute one and only one exact command:

firewall-cmd --add-rich-rule ‘rule family=“ipv4” service name=“ssh” source address=“x.x.x.x” accept’ --timeout=5m

This works fine when the users are all sudoers, but in trying to allow mortal users to do this, I seem to get polkit problems. I want mortal users to be able to run only this very specific command – no other uses of firewall-cmd are acceptable.

Can someone give me some direction about how to accomplish this?


1 Like

Something like this:

  • Save the command to a script in /usr/local/sbin.
  • Add all non-privileged non-system users to some group.
  • Allow the group members to use sudo to run the script.
1 Like