https://bugzilla.redhat.com/show_bug.cgi?id=902086 --- Comment #125 from Jörg Prante <joergprante@xxxxxxxxx> --- (In reply to Zbigniew Jędrzejewski-Szmek from comment #120) > (In reply to jiri vanek from comment #116) > > (In reply to Zbigniew Jędrzejewski-Szmek from comment #115) > > > (In reply to jiri vanek from comment #100) > > > > > Second question: elasticsearch listens on 0.0.0.0:9200 by default, accepting > > > > > commands from the internet. > > > > > This has to be fixed. Maybe a default configuration to limit it to ::1 > > > > > should be added. I don't know what, > > > > > but something has to be done. > > > > > > > > Afaik no simple option here. The firewalld shopud do this job or any other > > > > deployment tool like nginx or similar... > > > The problem is that Workstation product runs with firewall disabled. People > > > > How come? Wasnt it vice versa until recently? > You missed the big discussion on fedora-devel apparently. Short version is > that Workstation working group proposed disabling the firewall, which FESCo > rejected, so instead that made a firewall with all ports allowed, which > FESCo approved, or at least declined to disapprove. > > > > might install ES without realizing that it listens on the network by > > > default. Even if it is documented somewhere. It is also very likely that ES > > > will become a dependency of other packages. Having it default to accepting > > > commands from the network seems like something that will bite our users. > > > "Secure by default" is the general principle. > > > > > Hmm. I agree. But currently no idea. Crap. > I think socket activation would be the best way to go. It would solve two > problems: listening on public address, and startup synchronization. > > When I wrote comment #c93, I didn't know that upstream is sympathetic to > doing socket activation. It might not be trivial with Java, but this would > be the perfect solution in the long run. I am not familiar with the details of the discussion, but if you are about to consider to modify Elasticsearch for restricting HTTP port 9200 to open on a site-local network socket only, please see my patch https://github.com/jprante/elasticsearch/commit/42392350850ae58b73f5a39939bc245f4faf2f44 This is for HTTP only and can block external requests by a default configuration. Please note, it is only complete with a solution for Elasticsearch node protocol port 9300, which is very similar. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review