https://bugzilla.redhat.com/show_bug.cgi?id=902086 --- Comment #120 from Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> --- (In reply to jiri vanek from comment #116) > (In reply to Zbigniew Jędrzejewski-Szmek from comment #115) > > (In reply to jiri vanek from comment #100) > > > > Second question: elasticsearch listens on 0.0.0.0:9200 by default, accepting > > > > commands from the internet. > > > > This has to be fixed. Maybe a default configuration to limit it to ::1 > > > > should be added. I don't know what, > > > > but something has to be done. > > > > > > Afaik no simple option here. The firewalld shopud do this job or any other > > > deployment tool like nginx or similar... > > The problem is that Workstation product runs with firewall disabled. People > > How come? Wasnt it vice versa until recently? You missed the big discussion on fedora-devel apparently. Short version is that Workstation working group proposed disabling the firewall, which FESCo rejected, so instead that made a firewall with all ports allowed, which FESCo approved, or at least declined to disapprove. > > might install ES without realizing that it listens on the network by > > default. Even if it is documented somewhere. It is also very likely that ES > > will become a dependency of other packages. Having it default to accepting > > commands from the network seems like something that will bite our users. > > "Secure by default" is the general principle. > > > Hmm. I agree. But currently no idea. Crap. I think socket activation would be the best way to go. It would solve two problems: listening on public address, and startup synchronization. When I wrote comment #c93, I didn't know that upstream is sympathetic to doing socket activation. It might not be trivial with Java, but this would be the perfect solution in the long run. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review