I use tools like fail2ban which temporarily adds deny rules to a local firewall (iptables on Linux). It would be great if I could have these tools use the DO API to insert banned IPs into a Cloud Firewall instead. This would move the traffic filtering off of my droplet, improving performance, and would also allow all droplets using that firewall to be protected when any one of them is being probed/attacked.
Admittedly, this could mostly be accomplished at the user level using a network-aware tool (for example, insert banned IP into a database, perhaps etcd or a similar "watchable" DB, then all clients update rules on change). However, such a solution lacks the performance benefit of banning at the cloud firewall level.
This feature would require ordering support. Simplistically, saying that the order is always block then deny should work. It's up to the user to add their "never block this IP" settings into their tool, rather than doing that at the firewall level. The UI could either be implemented as individual firewalls being "block" or "deny" firewalls, or there could be two sets of input boxes for sources/destinations - a block set and a deny set (perhaps with the "block" set being hidden by default). Representing the blocked and allowed IPs/tags with positive and negative outlines (maybe blocked is a solid black box with white text) or something like that would make for an easy visual representation without the potential color blind impact of red/green.