-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/11/2013 08:53 AM, Sam Kottler wrote: > > > ----- Original Message ----- >> From: "Michael Hampton" <error@xxxxxxxxxx> To: >> cloud@xxxxxxxxxxxxxxxxxxxxxxx Sent: Wednesday, September 11, 2013 >> 8:47:23 AM Subject: Re: Disabling firewalld on AWS? >> >> > On 09/11/2013 08:13 AM, Sam Kottler wrote: >>>> On 09/10/2013 11:36 PM, Sam Kottler wrote: >>>>>>>>> Given the deny-by-default nature of security groups I think >>>>>>>>> it makes sense to disable firewalld in the AMI's. I >>>>>>>>> haven't seen any other AMI's that have a firewall enabled >>>>>>>>> by default and we probably shouldn't break that pattern >>>>>>>>> IMO. >>>>>>>>> >>>>>>>>> Thoughts? >>>>>>>>> >>>>>> >>>>>> This is easily one of my least-favorite "features" of certain >>>>>> Linux distributions. >>>>>> >>>>>> Debian/Ubuntu images don't have a firewall enabled by default in >>>>>> their cloud images because they don't have a firewall enabled at >>>>>> all in a default installation. At least the last time I looked >>>>>> at them; maybe they've gotten smarter in the last couple of >>>>>> years. >>>>>> >>>>>> I'm not really sure I see a benefit here. There may not even be a >>>>>> second firewall in front of the virtual machine; a user might >>>>>> turn it off because it's getting in the way, or a cloud provider >>>>>> might not provide this feature at all. I know of at least one >>>>>> public cloud provider which has an external firewall feature >>>>>> similar to AWS security groups, but it's off by default. In this >>>>>> case I see plenty of downside. >>>>>> >>>>>>> If people disable their firewall then that's their prerogative, >>>>>>> but it's confusing and non-standard to have a firewall >>>>>>> running on the instance and one running via the security >>>>>>> group(s) that the host is in. >>>>> >>>>> Also, I don't trust the public cloud providers to configure their >>>>> firewall correctly. >>>> >>>> So in your case you just `chkconfig firewalld on` and configure it. >>>> I'm sure that people who share your opinion (myself among them) will >>>> do that for the extra layer of security, but I'm just advocating for >>>> the Fedora images to follow the way other AMI's are handling >>>> firewalls. > > And I'm saying that the way other AMIs do it is wrong. We should not also > be wrong merely because everyone else is jumping off the cliff. Rather we > should continue to be secure by default and require explicit action from > the user to disable security, not explicit action to enable security. > >> It's not "disabl[ing] security", security groups already do that for >> you. You're adding an extra convoluted layer, and the vast majority of >> users will just disable it and rely on security groups (that's conjecture >> on my part). Have you ever heard about vulnerabilities in the AWS >> security group implementation? I haven't. > I would figure Amazon would do everything in its power to prevent leakage of information about vulnerabilities to the public. Their stock price would take a large hit... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIwaM4ACgkQrlYvE4MpobN15gCgiDdJpXpg56jlhb+08JbgtiaN fGQAoOEsGcfzXLiLinHBA3/x1nYI3LdF =l2dv -----END PGP SIGNATURE----- _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
