Comment 9 for bug 2038894

> a) You state that some policy says that no ports other than 22 should be open, which policy is that? Does it apply only to cloud images, or is it an Ubuntu policy in general?

I will try find the referenced policy.

> b) This is in mantic release at the moment, and switching that option back to "no" could regress users that were relying on this default. What exactly are we losing when we disable this service in this SRU?

This was added in version 253.5-1ubuntu1 [1] of systemd on 11 Jul 2023 in the devel release. It was not an intentional change to open port 5353.

I am not entirely sure on what we lose but based on the systemd-resolved docs [2] we lose ability to resolve .local domains

> This resolver has a notion of the special ".local" domain used for MulticastDNS

> c) If this is only about cloud images, is the workaround in comment #4 something that could be added to the cloud image build process, or we really want to avoid that?

CPC are primarily concerned about cloud images but enabling a new open port was an unintended consequence of the change and I understand not one that is desired.

> d) Are there specific security concerns with keeping this service enabled?

Yes. Google/GCE specifically have flagged this as an issue and a regression to have more than port 22 open.

[1] https://launchpad.net/ubuntu/+source/systemd/253.5-1ubuntu1
[2] https://www.freedesktop.org/software/systemd/man/latest/systemd-resolved.service.html