Disabling firewalld on AWS?

Wed Sep 11 12:57:50 UTC 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/11/2013 08:53 AM, Sam Kottler wrote:
> 
> 
> ----- Original Message -----
>> From: "Michael Hampton" <error at ioerror.us> To: 
>> cloud at lists.fedoraproject.org Sent: Wednesday, September 11, 2013
>> 8:47:23 AM Subject: Re: Disabling firewalld on AWS?
>> 
>> 
> On 09/11/2013 08:13 AM, Sam Kottler wrote:
>>>> On 09/10/2013 11:36 PM, Sam Kottler wrote:
>>>>>>>>> Given the deny-by-default nature of security groups I think
>>>>>>>>>  it makes sense to disable firewalld in the AMI's. I
>>>>>>>>> haven't seen any other AMI's that have a firewall enabled
>>>>>>>>> by default and we probably shouldn't break that pattern
>>>>>>>>> IMO.
>>>>>>>>> 
>>>>>>>>> Thoughts?
>>>>>>>>> 
>>>>>> 
>>>>>> This is easily one of my least-favorite "features" of certain
>>>>>> Linux distributions.
>>>>>> 
>>>>>> Debian/Ubuntu images don't have a firewall enabled by default in
>>>>>>  their cloud images because they don't have a firewall enabled at
>>>>>>  all in a default installation. At least the last time I looked
>>>>>> at them; maybe they've gotten smarter in the last couple of
>>>>>> years.
>>>>>> 
>>>>>> I'm not really sure I see a benefit here. There may not even be a
>>>>>>  second firewall in front of the virtual machine; a user might
>>>>>> turn it off because it's getting in the way, or a cloud provider
>>>>>> might not provide this feature at all. I know of at least one
>>>>>> public cloud provider which has an external firewall feature
>>>>>> similar to AWS security groups, but it's off by default. In this
>>>>>> case I see plenty of downside.
>>>>>> 
>>>>>>> If people disable their firewall then that's their prerogative,
>>>>>>>  but it's confusing and non-standard to have a firewall
>>>>>>> running on the instance and one running via the security
>>>>>>> group(s) that the host is in.
>>>>> 
>>>>> Also, I don't trust the public cloud providers to configure their 
>>>>> firewall correctly.
>>>> 
>>>> So in your case you just `chkconfig firewalld on` and configure it. 
>>>> I'm sure that people who share your opinion (myself among them) will
>>>> do that for the extra layer of security, but I'm just advocating for
>>>> the Fedora images to follow the way other AMI's are handling
>>>> firewalls.
> 
> And I'm saying that the way other AMIs do it is wrong. We should not also
> be wrong merely because everyone else is jumping off the cliff. Rather we
> should continue to be secure by default and require explicit action from
> the user to disable security, not explicit action to enable security.
> 
>> It's not "disabl[ing] security", security groups already do that for
>> you. You're adding an extra convoluted layer, and the vast majority of
>> users will just disable it and rely on security groups (that's conjecture
>> on my part). Have you ever heard about vulnerabilities in the AWS
>> security group implementation? I haven't.
> 
I would figure Amazon would do everything in its power to prevent leakage of
information about vulnerabilities to the public.  Their stock price would take
a large hit...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIwaM4ACgkQrlYvE4MpobN15gCgiDdJpXpg56jlhb+08JbgtiaN
fGQAoOEsGcfzXLiLinHBA3/x1nYI3LdF
=l2dv
-----END PGP SIGNATURE-----