On 09/10/2013 11:52 PM, Sam Kottler wrote:
----- Original Message -----
> From: "Michael Hampton" <error(a)ioerror.us> To:
> cloud(a)lists.fedoraproject.org Sent: Tuesday, September 10, 2013
> 11:45:51 PM Subject: Re: Disabling firewalld on AWS?
>
>
On 09/10/2013 11:36 PM, Sam Kottler wrote:
>>> Given the deny-by-default nature of security groups I think
>>> it makes sense to disable firewalld in the AMI's. I haven't
>>> seen any other AMI's that have a firewall enabled by default
>>> and we probably shouldn't break that pattern IMO.
>>>
>>> Thoughts?
>>>
This is easily one of my least-favorite "features" of certain
Linux distributions.
Debian/Ubuntu images don't have a firewall enabled by default in
their cloud images because they don't have a firewall enabled at
all in a default installation. At least the last time I looked at
them; maybe they've gotten smarter in the last couple of years.
I'm not really sure I see a benefit here. There may not even be a
second firewall in front of the virtual machine; a user might turn
it off because it's getting in the way, or a cloud provider might
not provide this feature at all. I know of at least one public
cloud provider which has an external firewall feature similar to
AWS security groups, but it's off by default. In this case I see
plenty of downside.
> If people disable their firewall then that's their prerogative,
> but it's confusing and non-standard to have a firewall running on
> the instance and one running via the security group(s) that the
> host is in.
Also, I don't trust the public cloud providers to configure their
firewall correctly.
Eric.