Disabling firewalld on AWS?

Sam Kottler skottler at redhat.com
Wed Sep 11 14:30:26 UTC 2013 


----- Original Message -----
> From: "Eric V. Smith" <eric at trueblade.com>
> To: cloud at lists.fedoraproject.org
> Sent: Wednesday, September 11, 2013 10:17:03 AM
> Subject: Re: Disabling firewalld on AWS?
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 09/11/2013 08:57 AM, Daniel J Walsh wrote:
> > On 09/11/2013 08:53 AM, Sam Kottler wrote:
> > 
> >>> It's not "disabl[ing] security", security groups already do
> >>> that for you. You're adding an extra convoluted layer, and the
> >>> vast majority of users will just disable it and rely on
> >>> security groups (that's conjecture on my part). Have you ever
> >>> heard about vulnerabilities in the AWS security group
> >>> implementation? I haven't.
> > 
> > I would figure Amazon would do everything in its power to prevent
> > leakage of information about vulnerabilities to the public.  Their
> > stock price would take a large hit...
> 
> [I hope the quoting is correct there, but it looks odd to me.
> Apologies if it's wrong.]
> 
> And, they may be under court order to not discuss their vulnerabilities!
> 
> But seriously: I'd rather this work the same way other Fedora
> installations work. I don't have to enable the firewall when I install
> from DVDs, and I'd like the same thing to apply to cloud images.
> Otherwise I need to modify my post-install scripts to always enable
> the firewall (or maybe conditionally do it, which is worse).

The way that services run on public clouds is fundamentally different from the way they run on physical hardware & most private clouds. We shouldn't be treating the AMI's the same as the iso's because they are meant to serve a different purpose.

As for your provisioning script, you don't need a conditional, just chkconfig it to on since it will exit 0 whether it successfully enabled the service or it was already enabled.

> 
> Eric.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
> 
> iQEcBAEBAgAGBQJSMHtTAAoJENxauZFcKtNxkUcIAJV5glS4VNT9qhWWgG3UoVou
> uXxO4TSde8/sVnUNQY3vjmHE6XcPoiLkLjCq9nk8RWvJbmrErOiclsKLRo6E7UZL
> Fs9CE/aX+6JhzgTZzxoAvayhUSKtwZIDFfvXjUldH1YWMB9gj/ZPms1sDqoiH3Xb
> /qEt9sXmKDNFJgYGAYCvevk53c75pd4upt1UJ2fLxTezBUf7vi3o6129Fw6KNx7Z
> zhnyYtmfcesrmZog7lFHAZto1/qSkWIHZaY8XuO5lauEcxdiBMJUYgCWjrWu1y3a
> GemzbwniBKawfX/t7OIRqyWYoRKJjaHEPZswbHP33jdieCllsMwpujeRJl8q+jA=
> =yJ/E
> -----END PGP SIGNATURE-----
> _______________________________________________
> cloud mailing list
> cloud at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/cloud
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>

More information about the cloud mailing list