cloud and local firewall at all (sig consensus?)
Robyn Bergeron
rbergero at redhat.com
Fri Dec 21 14:40:38 UTC 2012
----- Original Message -----
> From: "Matthew Miller" <mattdm at fedoraproject.org>
> To: "Fedora Cloud SIG" <cloud at lists.fedoraproject.org>
> Sent: Thursday, December 20, 2012 1:49:23 PM
> Subject: cloud and local firewall at all (sig consensus?)
>
> On Wed, Dec 12, 2012 at 09:58:04PM -0800, Garrett Holmstrom wrote:
> > EC2 recommends images with *no* default firewall since they use
> > security
> > groups to control traffic, and adding a second, guest-level
> > firewall tends
> > to confuse people.
>
> I'd like to get a group consensus on this. Dennis Gilmore has
> expressed
> concern about leaving the local firewall off -- having it on may be
> redundant, but it protects against configuration errors or security
> bugs in
> EC2 itself.
Is this consensus just for EC2 or all images potentially used in cloud (public or private)?
>
> Options for the out-of-the-box config are:
>
> A) no local firewall (Garrett, do you have a reference to an EC2
> recommendation for this configuration?)
>
> B) firewall allowing ssh in by default (normal Fedora default)
>
> C) firewall allowing in ssh + http/https (since cloud systems are
> often
> web servers)
>
> I'm lightly in favor of C, since I like the concept of
> defense-in-depth, and
> this seems like a decent compromise. But I really don't have a very
> strong
> opinion. What are your thoughts?
>
> --
> Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁
> <mattdm at fedoraproject.org>
> _______________________________________________
> cloud mailing list
> cloud at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/cloud
>
More information about the cloud
mailing list