By colinbester
With UFW I can setup rules to allow from anywhere on one specific interface and only allow one machine to access my server via internal private IP.
Is this possible using Digital Ocean’s firewall? I have no issue using UFW but just wanted to make it easier with DigitalOcean’s UI for our team down the road.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
I’m pretty sure the firewalls are only between the public network and the VPS.
Hey there,
You can certainly configure rules similar to UFW to restrict traffic based on source addresses and ports. However, DigitalOcean’s firewalls don’t differentiate traffic by the network interface, like UFW does with rules specifying eth0 or eth1.
Here’s what you can do with DigitalOcean’s Cloud Firewalls:
-
You can create rules that allow traffic from specific IP addresses or ranges, which is perfect for allowing only one machine to access your server via its internal private IP.
-
You can specify which ports are open and to which source IPs or IP ranges they are accessible. This helps to ensure that only the allowed services can be reached by the specified machines.
For your specific case, if you want to allow traffic from anywhere on a particular service (like HTTP or HTTPS) and restrict SSH to just one machine, you could set up two rules:
- HTTP and HTTPS are allowed from all IPs (
0.0.0.0/0and::/0for IPv4 and IPv6 respectively). - SSH is only allowed from your specific internal private IP address.
While DigitalOcean’s firewall won’t differentiate based on the interface, you can achieve a similar level of security by carefully crafting your inbound rules to match the desired access patterns.
For interface-specific rules, you’ll need to stick with UFW or another host-based firewall solution that supports interface-based rules.
The best thing to do to get your voice heard regarding this would be to head over to our Product Ideas board and post a new idea, including as much information as possible for what you’d like to see implemented.
Hope that helps!
- Bobby.
Heya,
As Bobby mentioned DigitalOcean’s firewalls don’t differentiate traffic by the network interface, like UFW does with rules specifying eth0 or eth1.
You can use a mixture of both UFW and DigitalOcean’s firewalls to set the desired set of rules, but you’ll need to be cautious not to misconfigure the rules and lock yourself from the droplet or block regular traffic.
Regards
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.