Disabling firewalld on AWS?
Michael Hampton
error at ioerror.us
Wed Sep 11 12:47:23 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/11/2013 08:13 AM, Sam Kottler wrote:
> On 09/10/2013 11:36 PM, Sam Kottler wrote:
>>>>>> Given the deny-by-default nature of security groups I think
>>>>>> it makes sense to disable firewalld in the AMI's. I haven't
>>>>>> seen any other AMI's that have a firewall enabled by default
>>>>>> and we probably shouldn't break that pattern IMO.
>>>>>>
>>>>>> Thoughts?
>>>>>>
>>>
>>> This is easily one of my least-favorite "features" of certain
>>> Linux distributions.
>>>
>>> Debian/Ubuntu images don't have a firewall enabled by default in
>>> their cloud images because they don't have a firewall enabled at
>>> all in a default installation. At least the last time I looked at
>>> them; maybe they've gotten smarter in the last couple of years.
>>>
>>> I'm not really sure I see a benefit here. There may not even be a
>>> second firewall in front of the virtual machine; a user might turn
>>> it off because it's getting in the way, or a cloud provider might
>>> not provide this feature at all. I know of at least one public
>>> cloud provider which has an external firewall feature similar to
>>> AWS security groups, but it's off by default. In this case I see
>>> plenty of downside.
>>>
>>>> If people disable their firewall then that's their prerogative,
>>>> but it's confusing and non-standard to have a firewall running on
>>>> the instance and one running via the security group(s) that the
>>>> host is in.
>>
>> Also, I don't trust the public cloud providers to configure their
>> firewall correctly.
>
> So in your case you just `chkconfig firewalld on` and configure it. I'm sure that people who share your opinion (myself among them) will do that for the extra layer of security, but I'm just advocating for the Fedora images to follow the way other AMI's are handling firewalls.
And I'm saying that the way other AMIs do it is wrong. We should not also be wrong merely because everyone else is jumping off the cliff. Rather we should continue to be secure by default and require explicit action from the user to disable security, not explicit action to enable security.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJSMGZbAAoJEJICkBIKCqxcZU8P/2l2+3RP57++Emwl3sfcg0TN
7a1pFT58OxQXUYeUuB/rNtIMOsr2hKsk9RzbJkB4Hlq4IE3d1X87IZ6IGU5IdAKL
0h4gxkV9yCSg0D9v7QIJbHjSPtyQS/A4xX2LGwoO5uJRkIok8c3SZnwVUni/50+l
CYnIHVo7jHax6nFtoeRKlbEFajq4BLkjepDKd9O+U8cilWIUiE7/U7x7SXz+gM7m
fOfgR1HJ/vvWwyt40BwVKCi94Nn3MRNooevfP2Shh9QQuaMWXe94FnqMAb4aQ0qZ
bCdIzDzIzZxX5kVGj01RlFHJps35Y091aGehnyFMvecf6zglks7KBLKFnEE5au3Z
a9MAzvf7Ey6pli8X8F16ghPKYyLgggBu8Df/F9fY17rY0eFLe3f2Uhmr9y/J6sSf
LVkBuYKvYBprMntMs50WdOOv/T3Xgnf0NjfCqzeOb+8F7IiXiOh50nGupMhjMY2H
hcGA3b1YUESuzXHWV0LR7N4Z1owfF5PpNXZZrs7V6O/vCHDh2trmL0Pd/GOh0Co4
LbukaX3kFW4IS7EtTrdZC6zLH7QNpWNvLAsVCGeMP45F/jTugv+nigM83wCr3kJo
wjitcI+7I0h3OWQTiA+yJXLYiVz/yneZcUKR9ikzPdGfWVsilAEWzsnNFYp+BgWK
OgO8367gE4NY68rvSw5E
=oAh5
-----END PGP SIGNATURE-----
More information about the cloud
mailing list