Question
Using DigitalOceans firewall for only allowing traffic on specific interface
- Posted on November 15, 2023
- DigitalOcean Cloud FirewallsSecurity
Asked by colinbester
With UFW I can setup rules to allow from anywhere on one specific interface and only allow one machine to access my server via internal private IP.
Is this possible using Digital Ocean’s firewall? I have no issue using UFW but just wanted to make it easier with DigitalOcean’s UI for our team down the road.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Get our biweekly newsletter
Sign up for Infrastructure as a Newsletter.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Become a contributor
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Heya,
As Bobby mentioned DigitalOcean’s firewalls don’t differentiate traffic by the network interface, like UFW does with rules specifying
eth0oreth1.You can use a mixture of both UFW and DigitalOcean’s firewalls to set the desired set of rules, but you’ll need to be cautious not to misconfigure the rules and lock yourself from the droplet or block regular traffic.
Regards
Hey there,
You can certainly configure rules similar to UFW to restrict traffic based on source addresses and ports. However, DigitalOcean’s firewalls don’t differentiate traffic by the network interface, like UFW does with rules specifying
eth0oreth1.Here’s what you can do with DigitalOcean’s Cloud Firewalls:
You can create rules that allow traffic from specific IP addresses or ranges, which is perfect for allowing only one machine to access your server via its internal private IP.
You can specify which ports are open and to which source IPs or IP ranges they are accessible. This helps to ensure that only the allowed services can be reached by the specified machines.
For your specific case, if you want to allow traffic from anywhere on a particular service (like HTTP or HTTPS) and restrict SSH to just one machine, you could set up two rules:
0.0.0.0/0and::/0for IPv4 and IPv6 respectively).While DigitalOcean’s firewall won’t differentiate based on the interface, you can achieve a similar level of security by carefully crafting your inbound rules to match the desired access patterns.
For interface-specific rules, you’ll need to stick with UFW or another host-based firewall solution that supports interface-based rules.
The best thing to do to get your voice heard regarding this would be to head over to our Product Ideas board and post a new idea, including as much information as possible for what you’d like to see implemented.
Hope that helps!
- Bobby.
I’m pretty sure the firewalls are only between the public network and the VPS.