What are some basic DO cloud firewall rules for a web server?

Posted on December 7, 2018

Hi,

I’m running a web server with a few virtual hosts.

I currently only have the ufw firewall, but I’m looking to implement a Digital Ocean cloud firewall. However, what kind of rules do I need? I’m thinking about these inbound rules and sources:

Inbound rules SSH: public IP of my home network HTTP: All IPv4, All IPv6 HTTPS: All IPv4, All IPv6 MySQL: public IP of my home network

This seems good, but the outbound rules confuse me. Outbound rules are meant for things like apt-get? I tried running a Digital Ocean firewall without outbound rules, but my websites didn’t work anymore (or really slow) and the Digital Monitoring didn’t work as well anymore.

What kind of (outbound) rules do I need to secure my web server and keep it running well?

Thanks!

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

jarland

December 10, 2018

Hey friend,

There are different schools of thought, but I personally leave all traffic open for outbound on my systems. My particular opinion is that if you manage the software, you have no reason to fear it doing it’s work, and therefore nothing to fear from it’s traffic. When reality plays out differently, it tends to be over the ports you would open anyway.

That said, I’d think these ports should be open outbound at a minimum:

80/tcp 443/tcp 53/udp

Don’t forget port 53 UDP out, as that will be your DNS lookups.

Jarland