On Wed, Dec 12, 2012 at 09:58:04PM -0800, Garrett Holmstrom wrote:
EC2 recommends images with *no* default firewall since they use
security
groups to control traffic, and adding a second, guest-level firewall tends
to confuse people.
I'd like to get a group consensus on this. Dennis Gilmore has expressed
concern about leaving the local firewall off -- having it on may be
redundant, but it protects against configuration errors or security bugs in
EC2 itself.
Options for the out-of-the-box config are:
A) no local firewall (Garrett, do you have a reference to an EC2
recommendation for this configuration?)
B) firewall allowing ssh in by default (normal Fedora default)
C) firewall allowing in ssh + http/https (since cloud systems are often
web servers)
I'm lightly in favor of C, since I like the concept of defense-in-depth, and
this seems like a decent compromise. But I really don't have a very strong
opinion. What are your thoughts?
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm(a)fedoraproject.org>