Related

Local Connections with DigitalOcean Firewall enabled Question Question
DO Network Firewall vs UFW Question Question

Question

What are some basic DO cloud firewall rules for a web server?

Posted December 7, 2018 7.7k views
DigitalOcean Cloud FirewallsUbuntu 18.04

Hi,

I’m running a web server with a few virtual hosts.

I currently only have the ufw firewall, but I’m looking to implement a Digital Ocean cloud firewall.
However, what kind of rules do I need? I’m thinking about these inbound rules and sources:

Inbound rules
SSH: public IP of my home network
HTTP: All IPv4, All IPv6
HTTPS: All IPv4, All IPv6
MySQL: public IP of my home network

This seems good, but the outbound rules confuse me.
Outbound rules are meant for things like apt-get? I tried running a Digital Ocean firewall without outbound rules, but my websites didn’t work anymore (or really slow) and the Digital Monitoring didn’t work as well anymore.

What kind of (outbound) rules do I need to secure my web server and keep it running well?

Thanks!

Add a comment
thibault007
By:
thibault007

Related

Local Connections with DigitalOcean Firewall enabled Question Question
DO Network Firewall vs UFW Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer
jarland December 10, 2018

Hey friend,

There are different schools of thought, but I personally leave all traffic open for outbound on my systems. My particular opinion is that if you manage the software, you have no reason to fear it doing it’s work, and therefore nothing to fear from it’s traffic. When reality plays out differently, it tends to be over the ports you would open anyway.

That said, I’d think these ports should be open outbound at a minimum:

80/tcp
443/tcp
53/udp

Don’t forget port 53 UDP out, as that will be your DNS lookups.

Jarland

Reply Report
  • thibault007 December 10, 2018

    Hi Jarland,

    Thanks a lot for the reply, very interesting!

    I understand that I shouldn’t worry about the outbound rules since I control the server.
    Since you mention that port 53 UDP is reponsible for DNS lookups, this would explain why my websites were loading slow/incorrect when I disabled all outbound traffic. The websites could load any external media or script so that explains it :)

    Many thanks!

    EDIT: hmm wait, that doesn’t explain it actually, since all external scripts are loaded client side. Do you know why my websites didn’t work good anymore when I blocked all outbound traffic?

    Reply Report
    • jarland December 10, 2018

      Good question! It could in fact be that something was doing a DNS lookup on page load and therefore timing out. I’ve seen this happen a lot. Back at an old job I recall a day when a Wordpress plugin developer’s website went down, and took down every website that used the plugin because it made a call to his website.

      Web servers or web applications also sometimes do reverse DNS lookups of visitor IPs and that could potentially cause timeouts.

      Pure theory, of course.

      Reply Report

Related

Looking for something else?

Ask a new question Search for more help