Disabling firewalld on AWS?
Eric V. Smith
eric at trueblade.com
Wed Sep 11 11:37:21 UTC 2013
On 09/10/2013 11:52 PM, Sam Kottler wrote:
>
>
> ----- Original Message -----
>> From: "Michael Hampton" <error at ioerror.us> To:
>> cloud at lists.fedoraproject.org Sent: Tuesday, September 10, 2013
>> 11:45:51 PM Subject: Re: Disabling firewalld on AWS?
>>
>>
> On 09/10/2013 11:36 PM, Sam Kottler wrote:
>>>> Given the deny-by-default nature of security groups I think
>>>> it makes sense to disable firewalld in the AMI's. I haven't
>>>> seen any other AMI's that have a firewall enabled by default
>>>> and we probably shouldn't break that pattern IMO.
>>>>
>>>> Thoughts?
>>>>
>
> This is easily one of my least-favorite "features" of certain
> Linux distributions.
>
> Debian/Ubuntu images don't have a firewall enabled by default in
> their cloud images because they don't have a firewall enabled at
> all in a default installation. At least the last time I looked at
> them; maybe they've gotten smarter in the last couple of years.
>
> I'm not really sure I see a benefit here. There may not even be a
> second firewall in front of the virtual machine; a user might turn
> it off because it's getting in the way, or a cloud provider might
> not provide this feature at all. I know of at least one public
> cloud provider which has an external firewall feature similar to
> AWS security groups, but it's off by default. In this case I see
> plenty of downside.
>
>> If people disable their firewall then that's their prerogative,
>> but it's confusing and non-standard to have a firewall running on
>> the instance and one running via the security group(s) that the
>> host is in.
Also, I don't trust the public cloud providers to configure their
firewall correctly.
Eric.
More information about the cloud
mailing list