Disabling firewalld on AWS?
Sam Kottler
skottler at redhat.com
Wed Sep 11 12:55:56 UTC 2013
----- Original Message -----
> From: "Sam Kottler" <skottler at redhat.com>
> To: "Fedora Cloud SIG" <cloud at lists.fedoraproject.org>
> Sent: Wednesday, September 11, 2013 8:53:59 AM
> Subject: Re: Disabling firewalld on AWS?
>
>
>
> ----- Original Message -----
> > From: "Michael Hampton" <error at ioerror.us>
> > To: cloud at lists.fedoraproject.org
> > Sent: Wednesday, September 11, 2013 8:47:23 AM
> > Subject: Re: Disabling firewalld on AWS?
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 09/11/2013 08:13 AM, Sam Kottler wrote:
> > > On 09/10/2013 11:36 PM, Sam Kottler wrote:
> > >>>>>> Given the deny-by-default nature of security groups I think
> > >>>>>> it makes sense to disable firewalld in the AMI's. I haven't
> > >>>>>> seen any other AMI's that have a firewall enabled by default
> > >>>>>> and we probably shouldn't break that pattern IMO.
> > >>>>>>
> > >>>>>> Thoughts?
> > >>>>>>
> > >>>
> > >>> This is easily one of my least-favorite "features" of certain
> > >>> Linux distributions.
> > >>>
> > >>> Debian/Ubuntu images don't have a firewall enabled by default in
> > >>> their cloud images because they don't have a firewall enabled at
> > >>> all in a default installation. At least the last time I looked at
> > >>> them; maybe they've gotten smarter in the last couple of years.
> > >>>
> > >>> I'm not really sure I see a benefit here. There may not even be a
> > >>> second firewall in front of the virtual machine; a user might turn
> > >>> it off because it's getting in the way, or a cloud provider might
> > >>> not provide this feature at all. I know of at least one public
> > >>> cloud provider which has an external firewall feature similar to
> > >>> AWS security groups, but it's off by default. In this case I see
> > >>> plenty of downside.
> > >>>
> > >>>> If people disable their firewall then that's their prerogative,
> > >>>> but it's confusing and non-standard to have a firewall running on
> > >>>> the instance and one running via the security group(s) that the
> > >>>> host is in.
> > >>
> > >> Also, I don't trust the public cloud providers to configure their
> > >> firewall correctly.
> > >
> > > So in your case you just `chkconfig firewalld on` and configure it. I'm
> > > sure that people who share your opinion (myself among them) will do that
> > > for the extra layer of security, but I'm just advocating for the Fedora
> > > images to follow the way other AMI's are handling firewalls.
> >
> > And I'm saying that the way other AMIs do it is wrong. We should not also
> > be
> > wrong merely because everyone else is jumping off the cliff. Rather we
> > should continue to be secure by default and require explicit action from
> > the
> > user to disable security, not explicit action to enable security.
>
> It's not "disabl[ing] security", security groups already do that for you.
Sorry, this was a weird sentence. My point is that having rules in place on the instance isn't enabling security, but rather adding another layer of it.
> You're adding an extra convoluted layer, and the vast majority of users will
> just disable it and rely on security groups (that's conjecture on my part).
> Have you ever heard about vulnerabilities in the AWS security group
> implementation? I haven't.
>
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.14 (GNU/Linux)
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQIcBAEBAgAGBQJSMGZbAAoJEJICkBIKCqxcZU8P/2l2+3RP57++Emwl3sfcg0TN
> > 7a1pFT58OxQXUYeUuB/rNtIMOsr2hKsk9RzbJkB4Hlq4IE3d1X87IZ6IGU5IdAKL
> > 0h4gxkV9yCSg0D9v7QIJbHjSPtyQS/A4xX2LGwoO5uJRkIok8c3SZnwVUni/50+l
> > CYnIHVo7jHax6nFtoeRKlbEFajq4BLkjepDKd9O+U8cilWIUiE7/U7x7SXz+gM7m
> > fOfgR1HJ/vvWwyt40BwVKCi94Nn3MRNooevfP2Shh9QQuaMWXe94FnqMAb4aQ0qZ
> > bCdIzDzIzZxX5kVGj01RlFHJps35Y091aGehnyFMvecf6zglks7KBLKFnEE5au3Z
> > a9MAzvf7Ey6pli8X8F16ghPKYyLgggBu8Df/F9fY17rY0eFLe3f2Uhmr9y/J6sSf
> > LVkBuYKvYBprMntMs50WdOOv/T3Xgnf0NjfCqzeOb+8F7IiXiOh50nGupMhjMY2H
> > hcGA3b1YUESuzXHWV0LR7N4Z1owfF5PpNXZZrs7V6O/vCHDh2trmL0Pd/GOh0Co4
> > LbukaX3kFW4IS7EtTrdZC6zLH7QNpWNvLAsVCGeMP45F/jTugv+nigM83wCr3kJo
> > wjitcI+7I0h3OWQTiA+yJXLYiVz/yneZcUKR9ikzPdGfWVsilAEWzsnNFYp+BgWK
> > OgO8367gE4NY68rvSw5E
> > =oAh5
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > cloud mailing list
> > cloud at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/cloud
> > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> >
More information about the cloud
mailing list