Disabling firewalld on AWS?
skottler at redhat.com
Wed Sep 11 14:30:26 UTC 2013
----- Original Message -----
> From: "Eric V. Smith" <eric at trueblade.com>
> To: cloud at lists.fedoraproject.org
> Sent: Wednesday, September 11, 2013 10:17:03 AM
> Subject: Re: Disabling firewalld on AWS?
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 09/11/2013 08:57 AM, Daniel J Walsh wrote:
> > On 09/11/2013 08:53 AM, Sam Kottler wrote:
> >>> It's not "disabl[ing] security", security groups already do
> >>> that for you. You're adding an extra convoluted layer, and the
> >>> vast majority of users will just disable it and rely on
> >>> security groups (that's conjecture on my part). Have you ever
> >>> heard about vulnerabilities in the AWS security group
> >>> implementation? I haven't.
> > I would figure Amazon would do everything in its power to prevent
> > leakage of information about vulnerabilities to the public. Their
> > stock price would take a large hit...
> [I hope the quoting is correct there, but it looks odd to me.
> Apologies if it's wrong.]
> And, they may be under court order to not discuss their vulnerabilities!
> But seriously: I'd rather this work the same way other Fedora
> installations work. I don't have to enable the firewall when I install
> from DVDs, and I'd like the same thing to apply to cloud images.
> Otherwise I need to modify my post-install scripts to always enable
> the firewall (or maybe conditionally do it, which is worse).
The way that services run on public clouds is fundamentally different from the way they run on physical hardware & most private clouds. We shouldn't be treating the AMI's the same as the iso's because they are meant to serve a different purpose.
As for your provisioning script, you don't need a conditional, just chkconfig it to on since it will exit 0 whether it successfully enabled the service or it was already enabled.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
> -----END PGP SIGNATURE-----
> cloud mailing list
> cloud at lists.fedoraproject.org
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
More information about the cloud