Redhat7 on Amazon firewall

MinaryMinary Posts: 74Member ■■□□□□□□□□
I am using Redhat7 64 on Amazon ec2. It is a fresh instance and I am trying to configure the firewall.

It does not have firewalld installed as I expected. (Like my centos7 64). Amazon say that Redhat7 is identical to the Redhat7 from Redhat.

I have the Amazon Firewall set correctly which operates outside the instance. I can ping etc too.
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.0 (Maipo)


systemctl status firewalld
firewalld.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)


sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT


service iptables status
Redirecting to /bin/systemctl status iptables.service
iptables.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)

This includes a few differences to my centos7 too:
redhat7 from amazon:
ls /etc/sysconfig
. console
grub
irqbalance
modules
rdisc
rsyncd
sshd
.. cpupower
init
kdump
netconsole
readonly-root
rsyslog
wpa_supplicant
authconfig
crond
ip6tables-config
kernel
network
rh-cloud-firstboot
run-partscbq
firstboot
iptables-config
man-db
network-scripts
rhn selinux


(I previously installed the same type of instance, installed firewalld and was able to open the ports I needed on it. But I still could not connect. I choped and changed a few things,figured there was another firewall, did extensive googling, edited files, but I was still not able to open the ports so I am starting from the beginning and my eyes are crossed )

thanks.

Any non related experiece with Linux gotcha's on cloud services would be welcome too.
(Such as this reason to use ebs-boot. http://alestic.com/2012/01/ec2-ebs-boot-recommended)

Comments

  • MinaryMinary Posts: 74Member ■■□□□□□□□□
    I assume that the firewall is removed and the Security Policy firewall is intended to be used instead.
  • PupilPupil Posts: 168Member
  • NightShade03NightShade03 Posts: 1,383Member ■■■■■■■□□□
    Pupil wrote: »
    Is CentOS 7 available on AWS now?

    Not that I've seen so far. You could make your own AMI though.
  • chanakyajupudichanakyajupudi Posts: 712Member
    There is no RH7 on AWS as yet.
    Work In Progress - RHCA [ ] Certified Cloud Security Professional [ ] GMON/GWAPT if Work Study is accepted [ ]
    http://adarsh.amazonwebservices.ninja


  • MinaryMinary Posts: 74Member ■■□□□□□□□□
    Well I am using RHEL7 one now.



    Has anyone used the Amazon linux ? Any good reason too ?
  • MinaryMinary Posts: 74Member ■■□□□□□□□□
    I just did an install and config with the centos7 minimal image. It seems very similar to the amazon image which makes sense. No ifconfig or firewall etc.
  • NightShade03NightShade03 Posts: 1,383Member ■■■■■■■□□□
    Now you have piqued my interest...this is on my to-do list today, will report back later with some findings.
  • NightShade03NightShade03 Posts: 1,383Member ■■■■■■■□□□
    Confirming that the AWS RH7 AMI does not include the firewalld package by default. Not entirely sure why they ripped it out when RH7 documentation says it is installed by default. What is even more interesting is that the iptables package is also not installed by default either.

    I work for an org that is an AWS partner so I'm reaching out to them to find out the rationale behind the move. Stay tuned.
  • NightShade03NightShade03 Posts: 1,383Member ■■■■■■■□□□
    Not to revive an old thread, but I did hear back from Amazon about this. Apparently Amazon asked Red Hat not to install the firewalld package in their AMI because it is redundant (AWS security groups). Not really sure I agree with that, but I did want to post their response/reasoning.
  • darkerosxxdarkerosxx Posts: 1,343Banned
    The default iptables chain and the default security groups have basically the same rules, so leaving iptables enabled by default would waste CPU by default, which is bad.
  • NightShade03NightShade03 Posts: 1,383Member ■■■■■■■□□□
    Agreed, but I do think that should be documented somewhere. I bet you that most people using AMIs assume that they are a 100% copy of the real OS which could lead to assumptions/confusion. It wouldn't be hard for orgs like Red Hat and such to call out some differences in the notes of the AMI.
Sign In or Register to comment.