----- Original Message -----
From: "Daniel J Walsh" <dwalsh(a)redhat.com>
To: "Fedora Cloud SIG" <cloud(a)lists.fedoraproject.org>
Cc: "Sam Kottler" <skottler(a)redhat.com>
Sent: Wednesday, September 11, 2013 8:57:50 AM
Subject: Re: Disabling firewalld on AWS?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/11/2013 08:53 AM, Sam Kottler wrote:
>
>
> ----- Original Message -----
>> From: "Michael Hampton" <error(a)ioerror.us> To:
>> cloud(a)lists.fedoraproject.org Sent: Wednesday, September 11, 2013
>> 8:47:23 AM Subject: Re: Disabling firewalld on AWS?
>>
>>
> On 09/11/2013 08:13 AM, Sam Kottler wrote:
>>>> On 09/10/2013 11:36 PM, Sam Kottler wrote:
>>>>>>>>> Given the deny-by-default nature of security groups
I think
>>>>>>>>> it makes sense to disable firewalld in the
AMI's. I
>>>>>>>>> haven't seen any other AMI's that have a
firewall enabled
>>>>>>>>> by default and we probably shouldn't break that
pattern
>>>>>>>>> IMO.
>>>>>>>>>
>>>>>>>>> Thoughts?
>>>>>>>>>
>>>>>>
>>>>>> This is easily one of my least-favorite "features" of
certain
>>>>>> Linux distributions.
>>>>>>
>>>>>> Debian/Ubuntu images don't have a firewall enabled by
default in
>>>>>> their cloud images because they don't have a firewall
enabled at
>>>>>> all in a default installation. At least the last time I looked
>>>>>> at them; maybe they've gotten smarter in the last couple of
>>>>>> years.
>>>>>>
>>>>>> I'm not really sure I see a benefit here. There may not even
be a
>>>>>> second firewall in front of the virtual machine; a user might
>>>>>> turn it off because it's getting in the way, or a cloud
provider
>>>>>> might not provide this feature at all. I know of at least one
>>>>>> public cloud provider which has an external firewall feature
>>>>>> similar to AWS security groups, but it's off by default. In
this
>>>>>> case I see plenty of downside.
>>>>>>
>>>>>>> If people disable their firewall then that's their
prerogative,
>>>>>>> but it's confusing and non-standard to have a firewall
>>>>>>> running on the instance and one running via the security
>>>>>>> group(s) that the host is in.
>>>>>
>>>>> Also, I don't trust the public cloud providers to configure
their
>>>>> firewall correctly.
>>>>
>>>> So in your case you just `chkconfig firewalld on` and configure it.
>>>> I'm sure that people who share your opinion (myself among them)
will
>>>> do that for the extra layer of security, but I'm just advocating
for
>>>> the Fedora images to follow the way other AMI's are handling
>>>> firewalls.
>
> And I'm saying that the way other AMIs do it is wrong. We should not also
> be wrong merely because everyone else is jumping off the cliff. Rather we
> should continue to be secure by default and require explicit action from
> the user to disable security, not explicit action to enable security.
>
>> It's not "disabl[ing] security", security groups already do that
for
>> you. You're adding an extra convoluted layer, and the vast majority of
>> users will just disable it and rely on security groups (that's conjecture
>> on my part). Have you ever heard about vulnerabilities in the AWS
>> security group implementation? I haven't.
>
I would figure Amazon would do everything in its power to prevent leakage of
information about vulnerabilities to the public. Their stock price would
take
a large hit...
Right, but I'm sure there are outside security researchers who are looking at security
groups who would publicly disclose vulnerabilities. There have been vulnerabilities in
iptables in the past and I'm sure there will be in the future, too.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlIwaM4ACgkQrlYvE4MpobN15gCgiDdJpXpg56jlhb+08JbgtiaN
fGQAoOEsGcfzXLiLinHBA3/x1nYI3LdF
=l2dv
-----END PGP SIGNATURE-----