On 09/10/2013 11:52 PM, Sam Kottler wrote: > > > ----- Original Message ----- >> From: "Michael Hampton" <error@xxxxxxxxxx> To: >> cloud@xxxxxxxxxxxxxxxxxxxxxxx Sent: Tuesday, September 10, 2013 >> 11:45:51 PM Subject: Re: Disabling firewalld on AWS? >> >> > On 09/10/2013 11:36 PM, Sam Kottler wrote: >>>> Given the deny-by-default nature of security groups I think >>>> it makes sense to disable firewalld in the AMI's. I haven't >>>> seen any other AMI's that have a firewall enabled by default >>>> and we probably shouldn't break that pattern IMO. >>>> >>>> Thoughts? >>>> > > This is easily one of my least-favorite "features" of certain > Linux distributions. > > Debian/Ubuntu images don't have a firewall enabled by default in > their cloud images because they don't have a firewall enabled at > all in a default installation. At least the last time I looked at > them; maybe they've gotten smarter in the last couple of years. > > I'm not really sure I see a benefit here. There may not even be a > second firewall in front of the virtual machine; a user might turn > it off because it's getting in the way, or a cloud provider might > not provide this feature at all. I know of at least one public > cloud provider which has an external firewall feature similar to > AWS security groups, but it's off by default. In this case I see > plenty of downside. > >> If people disable their firewall then that's their prerogative, >> but it's confusing and non-standard to have a firewall running on >> the instance and one running via the security group(s) that the >> host is in. Also, I don't trust the public cloud providers to configure their firewall correctly. Eric. _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
