On 12/20/2012 3:49 PM, Matthew Miller wrote: > On Wed, Dec 12, 2012 at 09:58:04PM -0800, Garrett Holmstrom wrote: >> EC2 recommends images with *no* default firewall since they use security >> groups to control traffic, and adding a second, guest-level firewall tends >> to confuse people. > > I'd like to get a group consensus on this. Dennis Gilmore has expressed > concern about leaving the local firewall off -- having it on may be > redundant, but it protects against configuration errors or security bugs in > EC2 itself. > > Options for the out-of-the-box config are: > > A) no local firewall (Garrett, do you have a reference to an EC2 > recommendation for this configuration?) > > B) firewall allowing ssh in by default (normal Fedora default) > > C) firewall allowing in ssh + http/https (since cloud systems are often > web servers) > > I'm lightly in favor of C, since I like the concept of defense-in-depth, and > this seems like a decent compromise. But I really don't have a very strong > opinion. What are your thoughts? > I think B is the right solution. I don't trust EC2's firewalls (especially EC2 instance to EC2 instance) and I have EC2 instances that don't run web servers. -- Eric. _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud
