Re: Disabling firewalld on AWS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


----- Original Message -----
> From: "Sam Kottler" <skottler@xxxxxxxxxx>
> To: "Fedora Cloud SIG" <cloud@xxxxxxxxxxxxxxxxxxxxxxx>
> Sent: Wednesday, September 11, 2013 8:53:59 AM
> Subject: Re: Disabling firewalld on AWS?
> 
> 
> 
> ----- Original Message -----
> > From: "Michael Hampton" <error@xxxxxxxxxx>
> > To: cloud@xxxxxxxxxxxxxxxxxxxxxxx
> > Sent: Wednesday, September 11, 2013 8:47:23 AM
> > Subject: Re: Disabling firewalld on AWS?
> > 
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On 09/11/2013 08:13 AM, Sam Kottler wrote:
> > > On 09/10/2013 11:36 PM, Sam Kottler wrote:
> > >>>>>> Given the deny-by-default nature of security groups I think
> > >>>>>> it makes sense to disable firewalld in the AMI's. I haven't
> > >>>>>> seen any other AMI's that have a firewall enabled by default
> > >>>>>> and we probably shouldn't break that pattern IMO.
> > >>>>>>
> > >>>>>> Thoughts?
> > >>>>>>
> > >>>
> > >>> This is easily one of my least-favorite "features" of certain
> > >>> Linux distributions.
> > >>>
> > >>> Debian/Ubuntu images don't have a firewall enabled by default in
> > >>> their cloud images because they don't have a firewall enabled at
> > >>> all in a default installation. At least the last time I looked at
> > >>> them; maybe they've gotten smarter in the last couple of years.
> > >>>
> > >>> I'm not really sure I see a benefit here. There may not even be a
> > >>> second firewall in front of the virtual machine; a user might turn
> > >>> it off because it's getting in the way, or a cloud provider might
> > >>> not provide this feature at all. I know of at least one public
> > >>> cloud provider which has an external firewall feature similar to
> > >>> AWS security groups, but it's off by default. In this case I see
> > >>> plenty of downside.
> > >>>
> > >>>> If people disable their firewall then that's their prerogative,
> > >>>> but it's confusing and non-standard to have a firewall running on
> > >>>> the instance and one running via the security group(s) that the
> > >>>> host is in.
> > >>
> > >> Also, I don't trust the public cloud providers to configure their
> > >> firewall correctly.
> > >
> > > So in your case you just `chkconfig firewalld on` and configure it. I'm
> > > sure that people who share your opinion (myself among them) will do that
> > > for the extra layer of security, but I'm just advocating for the Fedora
> > > images to follow the way other AMI's are handling firewalls.
> > 
> > And I'm saying that the way other AMIs do it is wrong. We should not also
> > be
> > wrong merely because everyone else is jumping off the cliff. Rather we
> > should continue to be secure by default and require explicit action from
> > the
> > user to disable security, not explicit action to enable security.
> 
> It's not "disabl[ing] security", security groups already do that for you.

Sorry, this was a weird sentence. My point is that having rules in place on the instance isn't enabling security, but rather adding another layer of it.

> You're adding an extra convoluted layer, and the vast majority of users will
> just disable it and rely on security groups (that's conjecture on my part).
> Have you ever heard about vulnerabilities in the AWS security group
> implementation? I haven't.
> 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.14 (GNU/Linux)
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> > 
> > iQIcBAEBAgAGBQJSMGZbAAoJEJICkBIKCqxcZU8P/2l2+3RP57++Emwl3sfcg0TN
> > 7a1pFT58OxQXUYeUuB/rNtIMOsr2hKsk9RzbJkB4Hlq4IE3d1X87IZ6IGU5IdAKL
> > 0h4gxkV9yCSg0D9v7QIJbHjSPtyQS/A4xX2LGwoO5uJRkIok8c3SZnwVUni/50+l
> > CYnIHVo7jHax6nFtoeRKlbEFajq4BLkjepDKd9O+U8cilWIUiE7/U7x7SXz+gM7m
> > fOfgR1HJ/vvWwyt40BwVKCi94Nn3MRNooevfP2Shh9QQuaMWXe94FnqMAb4aQ0qZ
> > bCdIzDzIzZxX5kVGj01RlFHJps35Y091aGehnyFMvecf6zglks7KBLKFnEE5au3Z
> > a9MAzvf7Ey6pli8X8F16ghPKYyLgggBu8Df/F9fY17rY0eFLe3f2Uhmr9y/J6sSf
> > LVkBuYKvYBprMntMs50WdOOv/T3Xgnf0NjfCqzeOb+8F7IiXiOh50nGupMhjMY2H
> > hcGA3b1YUESuzXHWV0LR7N4Z1owfF5PpNXZZrs7V6O/vCHDh2trmL0Pd/GOh0Co4
> > LbukaX3kFW4IS7EtTrdZC6zLH7QNpWNvLAsVCGeMP45F/jTugv+nigM83wCr3kJo
> > wjitcI+7I0h3OWQTiA+yJXLYiVz/yneZcUKR9ikzPdGfWVsilAEWzsnNFYp+BgWK
> > OgO8367gE4NY68rvSw5E
> > =oAh5
> > -----END PGP SIGNATURE-----
> > 
> > _______________________________________________
> > cloud mailing list
> > cloud@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/cloud
> > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> >
_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Big List of Linux Books]     [Yosemite News]     [Linux Apps]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux