Disabling firewalld on AWS?
Sam Kottler
skottler at redhat.com
Wed Sep 11 03:52:06 UTC 2013
----- Original Message -----
> From: "Michael Hampton" <error at ioerror.us>
> To: cloud at lists.fedoraproject.org
> Sent: Tuesday, September 10, 2013 11:45:51 PM
> Subject: Re: Disabling firewalld on AWS?
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/10/2013 11:36 PM, Sam Kottler wrote:
> > Given the deny-by-default nature of security groups I think it makes sense
> > to disable firewalld in the AMI's. I haven't seen any other AMI's that
> > have a firewall enabled by default and we probably shouldn't break that
> > pattern IMO.
> >
> > Thoughts?
> >
>
> This is easily one of my least-favorite "features" of certain Linux
> distributions.
>
> Debian/Ubuntu images don't have a firewall enabled by default in their cloud
> images because they don't have a firewall enabled at all in a default
> installation. At least the last time I looked at them; maybe they've gotten
> smarter in the last couple of years.
>
> I'm not really sure I see a benefit here. There may not even be a second
> firewall in front of the virtual machine; a user might turn it off because
> it's getting in the way, or a cloud provider might not provide this feature
> at all. I know of at least one public cloud provider which has an external
> firewall feature similar to AWS security groups, but it's off by default. In
> this case I see plenty of downside.
If people disable their firewall then that's their prerogative, but it's confusing and non-standard to have a firewall running on the instance and one running via the security group(s) that the host is in.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJSL+dvAAoJEJICkBIKCqxc/esP/1/xqnHrxYLhlvS5ecgmx3zb
> 3SSHFeeD2MKQvVkkOlsjoj0oYX17bmWeKxFzpjI7fUBCLb1vsVl1L19QbluGHElA
> QcKMzyCwfoZuAMZ804SRpty2hx0RSsbVpw0gDMVfBCWDjPFXzxt+PVK/tkIRHGDe
> k0DMbQd9WtM2BPPPjEeBu72YGnsWNBBHRb+4E9thg1FunX4RkeZ3qw7wgVlg3dCK
> TH0PkJrJKedWKHUVzcR+dZqxk1thGtWYSw1fJM3Vbk9UPuZxFcxOOjTXYtNkQaO3
> LL4x35UMi1pOIC20Ga9nXoMiRex1fLoO2autbJQfwLWnyCBTO/FvDxj9WUDtklFE
> yt/9t7Y7FH63sBvc6MOi+L7i4ZNZCMlHnZAKpF5jQ7OcOG+a/tftE2E8DUgAJwEG
> VnMIQPCMCGnYTkrqcsG6pcAz8RxoHMGXaGE3VYRLA0rtc6KeCEB8JuddXJ24Yst7
> DNwprVK/O/sf9akniyFHHeimXhvBdhnRCS+uak0/JuRTGRvwEHJ37EeyuwHeCViL
> F8rq9OLG6uN/CPwT0n5fRnZp30XKQc0wODUOCH9vcp6EVoozvFJF3MRWSjM3nBcO
> /UKGvPFb2ZNgbGqZxkBsYBVrY12kcQX0Vo6B5IktEV5S1PmwBPOklGJnCCrpEiYq
> M2TLP9xhvLIHasY2Dl3G
> =S1Yb
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> cloud mailing list
> cloud at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/cloud
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>
More information about the cloud
mailing list