Disabling firewalld on AWS?
Daniel J Walsh
dwalsh at redhat.com
Wed Sep 11 12:57:50 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/11/2013 08:53 AM, Sam Kottler wrote:
>
>
> ----- Original Message -----
>> From: "Michael Hampton" <error at ioerror.us> To:
>> cloud at lists.fedoraproject.org Sent: Wednesday, September 11, 2013
>> 8:47:23 AM Subject: Re: Disabling firewalld on AWS?
>>
>>
> On 09/11/2013 08:13 AM, Sam Kottler wrote:
>>>> On 09/10/2013 11:36 PM, Sam Kottler wrote:
>>>>>>>>> Given the deny-by-default nature of security groups I think
>>>>>>>>> it makes sense to disable firewalld in the AMI's. I
>>>>>>>>> haven't seen any other AMI's that have a firewall enabled
>>>>>>>>> by default and we probably shouldn't break that pattern
>>>>>>>>> IMO.
>>>>>>>>>
>>>>>>>>> Thoughts?
>>>>>>>>>
>>>>>>
>>>>>> This is easily one of my least-favorite "features" of certain
>>>>>> Linux distributions.
>>>>>>
>>>>>> Debian/Ubuntu images don't have a firewall enabled by default in
>>>>>> their cloud images because they don't have a firewall enabled at
>>>>>> all in a default installation. At least the last time I looked
>>>>>> at them; maybe they've gotten smarter in the last couple of
>>>>>> years.
>>>>>>
>>>>>> I'm not really sure I see a benefit here. There may not even be a
>>>>>> second firewall in front of the virtual machine; a user might
>>>>>> turn it off because it's getting in the way, or a cloud provider
>>>>>> might not provide this feature at all. I know of at least one
>>>>>> public cloud provider which has an external firewall feature
>>>>>> similar to AWS security groups, but it's off by default. In this
>>>>>> case I see plenty of downside.
>>>>>>
>>>>>>> If people disable their firewall then that's their prerogative,
>>>>>>> but it's confusing and non-standard to have a firewall
>>>>>>> running on the instance and one running via the security
>>>>>>> group(s) that the host is in.
>>>>>
>>>>> Also, I don't trust the public cloud providers to configure their
>>>>> firewall correctly.
>>>>
>>>> So in your case you just `chkconfig firewalld on` and configure it.
>>>> I'm sure that people who share your opinion (myself among them) will
>>>> do that for the extra layer of security, but I'm just advocating for
>>>> the Fedora images to follow the way other AMI's are handling
>>>> firewalls.
>
> And I'm saying that the way other AMIs do it is wrong. We should not also
> be wrong merely because everyone else is jumping off the cliff. Rather we
> should continue to be secure by default and require explicit action from
> the user to disable security, not explicit action to enable security.
>
>> It's not "disabl[ing] security", security groups already do that for
>> you. You're adding an extra convoluted layer, and the vast majority of
>> users will just disable it and rely on security groups (that's conjecture
>> on my part). Have you ever heard about vulnerabilities in the AWS
>> security group implementation? I haven't.
>
I would figure Amazon would do everything in its power to prevent leakage of
information about vulnerabilities to the public. Their stock price would take
a large hit...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIwaM4ACgkQrlYvE4MpobN15gCgiDdJpXpg56jlhb+08JbgtiaN
fGQAoOEsGcfzXLiLinHBA3/x1nYI3LdF
=l2dv
-----END PGP SIGNATURE-----
More information about the cloud
mailing list