Question

Digital Ocean Firewalls are awesome for MongoDB. Why do I need ufw?

Posted September 7, 2017 3k views
MongoDBUbuntuFirewall

I have my appServers tagged as apps and my database server(s) tagged as db

Using purely digital ocean’s firewalls, create 2 rules:

tag:db rules

Incoming

  • SSH from anywhere
  • connections only from tag:apps on port 27017.

Outgoing

  • Anything goes

tag:apps rules

Incoming

  • SSH from anywhere
  • 80/443 from anywhere

Outgoing

  • Anything goes

This seems to make a lot of sense and I feel like I :

  • Don’t need to Setup ufw on any servers, because that’s already taken care of
  • Don’t need to Restrict incoming connections by ip with mongodb config. I can just bind to 0.0.0.0 and accept from “anywhere” since DO-firewall already does that filtering.
  • Don’t need to enable auth in mongodb, (would only need to do this if sql injection was a legitimate fear)

Could anyone help me understand why I should security-wise?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

That looks good to me! As long as you have your DO Firewalls configured properly (sounds like you do!), you won’t need to set up UFW or IPTables on your Droplet.

I agree with the first two points but not so much the third. I recommend setting up auth in MongoDB either way. This will keep your data safe in case something goes wrong and yours databases become publicly accessible for some reason. Better be safe than sorry!

Submit an Answer