SSG does not open SSH port in firewalld

Hello, Regarding issue https://github.com/OpenSCAP/scap-security-guide/issues/2202, which is about remediation of Rule 'set_firewalld_default_zone' setting default zone of firewalld to drop, and as a consequence locking down the machine if no interface is assigned to a zone with SSH service enabled (because a interface with no zone assigned goes to default zone). There is PR https://github.com/OpenSCAP/scap-security-guide/pull/2285 which introduced a remediation for Rule 'firewalld_sshd_port_enabled' that will assign the first Ethernet interface found to a zone with SSH enabled, this will avoid lock down of the machine. But the question is, how useful is this remediation? Would it work in your infrastructure? There is concern that this scenario is too complex for a remediation to fix correctly and in a suitable way for everybody. There is too many unknowns about configuration, hardware, SSH use cases. We may be in a situation that any remediation implemented will do more harm than good. Dropping remediations for 'set_firewalld_default_zone' and 'firewalld_sshd_port_enabled' can be asafer solution for https://github.com/OpenSCAP/scap-security-guide/issues/2202, as the fix for these rules are not straight forward. With regards, -- Watson Sato Security Technologies | Red Hat, Inc