Amazon Linux 2 embedded Firewall

Question

Hello,  
  
I'm looking for guidance on configuring **firewalld** on Amazon Linux 2.  
  
I've been migrating some of our internal services to the Amazon Linux 2 AMI, and I encountered some connectivity issues, and during the investigation it seems that Amazon Linux 2 is running the **firewalld** service on the instance, and this is the default configuration:

```
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh dhcpv6-client
  ports: 1433/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
```

What should I be doing here?  I already have networking configured at the VPC level, as well as via security groups... should I be disabling **firewalld**?  
  
Should I be switching it to the 'trusted' zone?  
  
Is this the intentional base configuration?

Thanks,  
Paul

Answer

I have a new Amazon Linux 2 up and running and it doesn't seem to have any type of firewall running.  I also checked the installed packages and while the firewalld.noarch package is available to install it is not installed by default.  Maybe your user-init script is installing it, or maybe there is a 3rd party service installing it for you, but I don't think it should be there by default.  
  
Anyway, my personal thoughts are that between NACLs and Security Groups a host based firewall is probably overkill.  We don't run any such software on our instances and I don't think I've ever heard a recommendation from AWS that it might be necessary.

Amazon Linux 2 embedded Firewall

Relevanter Inhalt