Using DigitalOceans firewall for only allowing traffic on specific interface

With UFW I can setup rules to allow from anywhere on one specific interface and only allow one machine to access my server via internal private IP.

Is this possible using Digital Ocean’s firewall? I have no issue using UFW but just wanted to make it easier with DigitalOcean’s UI for our team down the road.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Site Moderator
Site Moderator badge
November 23, 2023


As Bobby mentioned DigitalOcean’s firewalls don’t differentiate traffic by the network interface, like UFW does with rules specifying eth0 or eth1.

You can use a mixture of both UFW and DigitalOcean’s firewalls to set the desired set of rules, but you’ll need to be cautious not to misconfigure the rules and lock yourself from the droplet or block regular traffic.


Bobby Iliev
Site Moderator
Site Moderator badge
November 18, 2023

Hey there,

You can certainly configure rules similar to UFW to restrict traffic based on source addresses and ports. However, DigitalOcean’s firewalls don’t differentiate traffic by the network interface, like UFW does with rules specifying eth0 or eth1.

Here’s what you can do with DigitalOcean’s Cloud Firewalls:

  1. You can create rules that allow traffic from specific IP addresses or ranges, which is perfect for allowing only one machine to access your server via its internal private IP.

  2. You can specify which ports are open and to which source IPs or IP ranges they are accessible. This helps to ensure that only the allowed services can be reached by the specified machines.

For your specific case, if you want to allow traffic from anywhere on a particular service (like HTTP or HTTPS) and restrict SSH to just one machine, you could set up two rules:

  • HTTP and HTTPS are allowed from all IPs ( and ::/0 for IPv4 and IPv6 respectively).
  • SSH is only allowed from your specific internal private IP address.

While DigitalOcean’s firewall won’t differentiate based on the interface, you can achieve a similar level of security by carefully crafting your inbound rules to match the desired access patterns.

For interface-specific rules, you’ll need to stick with UFW or another host-based firewall solution that supports interface-based rules.

The best thing to do to get your voice heard regarding this would be to head over to our Product Ideas board and post a new idea, including as much information as possible for what you’d like to see implemented.

Hope that helps!

- Bobby.

I’m pretty sure the firewalls are only between the public network and the VPS.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel