Loading Profile...
Effectuating firewall settings on a running EC2 instance.
This took me some time to figure out, so maybe it should be done automatically:
When you change the firewall settings of an ec2 instance through the admin console, nothing happens (e.g. I couldn't connect to port 8080). After confirming with telnet or wget that the server is doing fine, I suspected the firewall.
$ sudo su -
$ shorewall stop; shorewall start
Put the last command on a single line, you might not get the chance to issue start after shorewall is stopped...
When you change the firewall settings of an ec2 instance through the admin console, nothing happens (e.g. I couldn't connect to port 8080). After confirming with telnet or wget that the server is doing fine, I suspected the firewall.
$ sudo su -
$ shorewall stop; shorewall start
Put the last command on a single line, you might not get the chance to issue start after shorewall is stopped...
I’m happy
1
person likes this idea
I like this idea!
Tell me when this idea gets some attention.
The more people who like this idea, the more it gets noticed.
The more people who like this idea, the more it gets noticed.
-
Inappropriate?Hey sorry it took us so long to respond on this one. There are a couple issues at play. We have a restart button in the manager console network tab to restart the firewall after multiple rules are added (this is to avoid the 3-5 second delay per restart that may get annoying if you're changing multiple rules). If the button is missing in your version, we're releasing a brand new manager console soon that will solve this issue.
However, there is another EC2-specific issue which is that any EC2 security group settings will override the internal firewall and it won't matter if you open a port on that firewall because it will not modify the EC2 security group. This is is something we're working toward integrating in the future.
I’m happy
1 Comment
Add a comment
This is one of the best points
-
No problem, it didn't require response. Indeed the restart button was missing when I created this tip. It works for me to just change the settings in the admin console and restart shorewall afterwards from the terminal. Just as long as I know what to do it's fine. -
Inappropriate?When running an Elastic Server on Amazon EC2 the firewall and security issues get more complicated.
Amazon launched the VM in what is essentially a VLAN which is controlled there at the network level. This is controlled by the Amazon security group that you launched the instance in. These security groups can define access between VMs in in the same security group and the access into the VMs from outside the Vlan (from the Internet). Think of this as the "outside in" security.
At the same time it is good practice to have "inside out" security inside each VM and controlled by the VM itself. We by default build the open source "shorewall" firewall into each Elastic Server. When your Elastic Server is manufactured we build you an Amazon security group with the same name as the Amazon Machine Image (AMI) that is built. We open some ports by default like 22, 2999 (Elastic Server Manager port). Also we look at an adapter format we call "rubberbands" in the /ect/cft/mods-available directory. If an adaptor exist in this directory we see if it opens ports for the component it describes. (MORE ON these components called "rubberbands" later.)
So at the time of VM assembly and build we have your EC2 credentials in the factory and as such can build an appropriate security group based on your specifications at that time.
Once the VM moves to Amazon and is live - that is the open question and would love to get some feedback. Ideally when you interact with the Elastic Server Manager on port 2999 - if you change something in the "inside out" firewall - we should update the "outside in" firewall (the Amazon security group). But..that would require your EC2 credentials inside the VM which to us seems a bit much. We have resisted functionality that has your secret key or your x509 certs being included in the VM. What should we do here - we would love some opining.
One idea we had was having a web service from the VM back to the Elastic Server factory requesting that the sotred credentials be used on its behalf to modify the EC2 security group. This would have you entering your Elastic Server username/password on the fly when prompted by the "change firewall settings" UI.
To the alternative - if the EC2 security group is changed how would we change the VM firewall - not sure.
One could disable the Elastic Server firewall by default - but I don't recommend that since the VM might wake up and be running anywhere EC2, another cloud, a local VM workstation instance, etc.. I think it is good behavior to buy security (EC2 vlan for example) as part of my cloud providers services, but also to provide my own security through components in the VM. I want some local security I can control - distinct from the ambient environment the VM is running in.
Here is a web post I did a while back on how to modify the EC2 security groups using what is now called "ElasticFox" and using the Elastic Server Manager to configure the built in firewall.
http://elasticserver.blogspot.com/200...
1 person thinks
this is one of the best points
EMPLOYEE
EMPLOYEE
