Disabling UFW in favour of DO Cloud Firewall ?

Posted January 27, 2018 7.4k views
SecurityFirewallUbuntu 16.04

What are the pros and cons of using the Digital Ocean cloud firewall over something like UFW ? Should both be used at the same time or will that be redundant ?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
3 answers

UFW is a host-based tool, while DO’s Cloud Firewall is a network-based one… Using DO’s tool will not only provide reusability of rules (deploy inbound / outbound rules to many droplets - or even tags - at once) but also processes them before even getting to the droplet. Don’t get me wrong, UFW is an amazing, full-feature and extremely efficient tool, however when it comes to deploying shared common rules to lots of servers, it’s a bit time-consuming and repetitive task.

IMHO using them both at the same time would be redundant (assuming you have same rules on both firewalls). I would just go with the Cloud Firewall… Hope I could help!!!

If I use DO cloud firewall, does that also mean I can stop using fail2ban?

I guess you’d still need UFW/IPTables if you want to use fail2ban.

  • In my case, I dropped UFW and am relying on DO.
    Most of the ban from fail2ban comes from tries to connect to SSH through 22 or other ports.
    DO’s firewall will filter most of them, and they won’t even come to bother the software (connections on other ports than 22). That’s one relief for the instance.
    For those who keep trying on 22 (if 22 is the one you keep open for SSH), then yes, fail2ban will work the same, because it uses the SSH logs to find recurrent tries and ban them, through IPTables. No need of ifw here.

    Unless you have a specific app that listens to specific ports, you don’t need ufw, IMHO.