https://bugzilla.suse.com/show_bug.cgi?id=1213627 Bug ID: 1213627 Summary: Firewalld and container compatibility leading to not include a firewall by default in Aeon? Classification: openSUSE Product: openSUSE Aeon Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Base Assignee: rbrown@suse.com Reporter: kjong+lists@neobits.nl QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Hi, I'm intrigued by the Aeon project, but the choice of not installing a firewall by default worries me. I know I can enable the firewall pattern in the installer, or install it later on with `transactional-update package install firewalld`. And that works fine. But not having it there in a default installation opens up certain attack vectors in my opinion. I've read some reasoning about this on online platforms, such as that a firewall is not needed or would mess up container setups. I'm not so sure if I agree to the point of not including a firewall by default. If it's in the way for a user that wants to do something "special", then that user can disable/modify the firewall. But by default it would make sense to have the protection of a firewall. I didn't open this issue to debate it, but to understand the reasoning better. Maybe I'm wrong, that's also possible. Then this would be a nice reference point for future questions. On the firewalld page it mentions compatibility with Podman and Docker (iptables only):
Applications and libraries which support firewalld as a firewall management tool include:
NetworkManager libvirt podman docker (iptables backend only) fail2ban
I also host a Discourse forum on Debian for a couple of years, which runs in a Docker container, with firewalld enabled. I have not encountered issues so far. It of course depends on the use case of when issues may arise with firewalld. But this is an example of when the firewall would not be an issue and is good to have it around as a layer of protection. One of many layers, as security should be applied. If one layer fails, there is another one to protect the data. -- You are receiving this mail because: You are on the CC list for the bug.