Why is no firewall (firewall-cmd) installed by default on Fedora CoreOS?

I discovered that in contrast to Fedora Iot 34, no firewall is installed on Fedora CoreOS 34.
At least not firewalld/ a firewall controllable with firewall-cmd.

What is the reason for doing so?

And for security reasons, would you advise layering firewalld with rpm-ostree, so it can be used? IMHO a firewall is a good defense in depth mechanism, also (or maybe especially) for servers.

Also if there is a reason it is not installed in CoreOS, why is it in Fedora IoT then?

1 Like

firewalld requires Python and Fedora CoreOS doesn’t ship Python. We do ship the lower-level iptables/nftables/ebtables tools, but unfortunately we don’t have documentation yet for using them to configure the firewall on FCOS.

2 Likes

Well… such low-level tools are inconvenient to use and AFAIK also cockpit has no support for it, if you are going to use that.

As such, I guess layering firewalld is the only “real” option here.