Hi,

I have setup cloud firewall to “SSH Sources: my ipaddress”
I imagined it would only allow my ip to connect to ssh.

However in my log I can see bots spamming my ssh port, shouldn`t other ips be blocked?

1 comment
  • When you create a VPC firewall rule, you specify a VPC network and a set of components that define what the rule does. The components enable you to target certain types of traffic, based on the traffic’s protocol, ports, sources, and destinations. For more information, see firewall rule components.

    You create or modify VPC firewall rules by using the Google Cloud Console, gcloud command-line tool, and REST API. When you create or modify a firewall rule, you can specify the instances to which it is intended to apply by using the target component of the rule.

    In addition to firewall rules that you create, Google Cloud has other rules that can affect incoming (ingress) or outgoing (egress) connections:

    Google Cloud doesn’t allow certain IP protocols, such as egress traffic on TCP port 25 within a VPC network. For more information, see always blocked traffic.

    Google Cloud always allows communication between a VM instance and its corresponding metadata server at 169.254.169.254. For more information, see always allowed traffic.

    Every network has two implied firewall rules that permit outgoing connections and block incoming connections. Firewall rules that you create can override these implied rules.

    The default network is pre-populated with firewall rules that you can delete or modify.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

Hi there @philippe15,

I’ve just tested this, and I can confirm that if configured correctly, the firewall will not allow any connections to your Droplet. All connections will be filtered on the firewall level and not reach your Droplet.

You need to make sure that your firewall is configured correctly in terms of rules and then assign your Droplet to the firewall.

For more information, you can take a look a the official documentation here:

https://www.digitalocean.com/docs/networking/firewalls/

Let me know if you have any questions.
Regards,
Bobby

Google Cloud doesn’t allow certain IP protocols, such as egress traffic on TCP port 25 within a VPC network. For more information, see always blocked traffic.
Certain GRE traffic (beta)

• Traffic in Cloud VPN tunnels
• Traffic on Cloud Interconnect attachments (VLANs)
• Traffic for forwarding rules (load balacing or protocol forwarding)

GRE is allowed within a VPC network
Protocols other than TCP, UDP, ICMP, AH, ESP, SCTP, and GRE to external IP addresses of Google Cloud resources The type of resource further limits the protocol. For example, Network TCP/UDP Load Balancing supports only TCP and UDP. Also, a forwarding rule for protocol forwarding only processes a single protocol. Refer to the protocol forwarding documentation for a list of supported protocols.

Egress traffic to TCP destination port 25 (SMTP)

Traffic from:
• instances to external IP addresses on the internet
• instances to external IP addresses of instances

Submit an Answer