An Introduction To DigitalOcean Cloud Firewalls
An Introduction To DigitalOcean Cloud Firewalls
We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

An Introduction To DigitalOcean Cloud Firewalls

PostedJune 6, 2017 36.3k views Firewall DigitalOcean Security

Introduction

DigitalOcean Cloud Firewalls, available in all regions at no charge, provide a network-based, stateful firewall service for your DigitalOcean Droplets. They block all traffic that isn't expressly permitted by a rule. They're designed to be easy to configure, quick to apply, and automation-friendly.

In this guide, we'll explore how to create and manage DigitalOcean Cloud Firewalls.

DigitalOcean Cloud Firewalls at a Glance

  • Price: No additional cost.
  • Regional Availability: Firewalls are available in every region.
  • Management: Rules can be applied to individual Droplets or to tags. Rules applied to a tag will then be applied to all Droplets that share the tag.
  • Membership Requirements: A Firewall's rules can include servers from any combination of regions.
  • Limits:
    • Total incoming and outgoing rules per firewall: 50
    • Individual Droplets per Firewall: 10
    • Firewalls per Droplet: Unlimited
    • Tags per Firewall 5.
    • Droplets per tag: Unlimited

Managing Cloud Firewalls in the Control Panel

Firewalls are available in the DigitalOcean Control Panel by following the Networking link in the top menu, then selecting Firewalls. When no firewalls exist, you will reach an introductory screen.

Firewalls page when no firewalls have been created.

Once you've created a Firewall, the Firewalls tab serves as the main overview page and provides summary information including the number of Droplets protected, the number of rules and the date the Firewall was created.

Creating A Firewall

When you click the Create Firewall button, you will arrive at the creation form. Since the default state of Cloud Firewalls permits no traffic in or out, when you create a Firewall from the Control Panel, four pre-configured rules are suggested to allow some fundamental traffic:

Screenshot of the Default Rules, described below.

These rules define the following exceptions to the firewall policy:

  • Allow all incoming TCP traffic to port 22 from any IPv4 or IPv6 address (allow SSH access)
  • Allow all outgoing ICMP traffic to any IPv4 or IPv6 address
  • Allow all outgoing TCP traffic on all ports to any IPv4 or IPv6 address
  • Allow all outgoing UDP traffic on all port to any IPv4 or IPv6 address

You can delete or edit these rules to suit your needs, but you must name the Firewall and define at least one rule in order to create it. Note that a single firewall can contain no more than 50 rules.

Configuring Inbound Rules

Inbound rules define what kind of traffic will be allowed to which ports from which sources. If no inbound rules are configured, no incoming traffic is permitted.

The Suggested Inbound Rule: SSH

Because the compromise of a server typically begins over an inbound connection, the default inbound connections remain entirely restricted with one exception. The suggested rule allows SSH connections on port 22 from anywhere so that users will be able to administer the server from a terminal.

Default Inbound Rule

Note: If SSH is listening on a non-standard port, you can delete this rule and create a new Custom TCP rule to specify the non-standard port.

As you install new software and configure new services, you'll add new rules to open the ports you need.

Creating New Inbound Rules from Presets

Inbound rules are added by opening the New rule select list. Several common protocols are available and will fill the Protocol and Port Range" fields automatically. For example, selecting HTTP will auto-fill the "Protocol" with TCP and the "Port Range" with HTTP's default of port 80.

Type dropdown list with the following options: SSH, HTTP, HTTPS, MySQL, DNS TCP, DNS UDP, All TCP, ALL UDP, ICMP, Custom

If one of these services is listening on a non-standard port, you can configure it by creating a custom rule.

Restricting by Source

With any protocol, you can reduce the attack vector by limiting which hosts are allowed to connect. You can add:

  • Droplets by name or IP address
  • DigitalOcean Load Balancers by name or IP address
  • Droplets or Load Balancers by tag
  • Non-DigitalOcean servers by IP address

Droplets
You can restrict incoming connections to one or more Droplets. For example, rather than allowing any host on the Internet to connect to a database server on port 5432, you can create a firewall for the database server, open port 5432, then restrict TCP access to a single web server by selecting its name in the "Sources" field.

enter image description here

Note that you can also paste a Droplet's IP address which will look up its name and, after a brief pause, display it in the dropdown. Once the Droplet's name appears in the list you can press Enter or click the name to select it.

Load Balancers
In addition to Droplets, you can restrict traffic to Digital Ocean Load Balancers. Say you're using a Load Balancer called webserver-lb to balance HTTPS traffic between multiple web servers listening on port 443. You can restrict access to the Load Balancer by adding it in the "Sources" field of the Firewall that protects those web servers.

Inbound rule restricted to the webhead-lb Load Balancer This will allow the Load Balancer to send traffic to the web servers and prevent users from accessing them directly.

Tags
Rather than using the name of a Droplet or DigitalOcean Load Balancer as a source, you can also use a tag. When you specify a tag, any of your DigitalOcean resources associated with that tag will be allowed access.

For example, if you want to allow multiple web servers to access a single database server, you can tag each one with webheads then add the tag to the "Sources" field of the database's firewall:

Inbound rule restricted by webheads Tag

Any Droplet or Load Balancer already tagged will be allowed to establish a connection, and new or existing Droplets will be allowed as soon as they are tagged.

External IP Address or Range
Many users have non-DigitalOcean machines that need to access Droplets. You can select these resources by IP address. Much like specifying a Droplet, you'll type or paste the IP, then pause briefly.

enter image description here

Once the "No match" response appears, press Enter, and the IP will be added:

enter image description here

Access can be defined by specific IP addresses, Subnets, or Classless Inter-Domain Routing (CIDR ranges).

Creating New Custom Rules

To add a custom rule, choose "Custom, " which allows you to select a protocol and port range.

Protocol

Once you've selected Custom, you can choose either TCP or UDP from the Protocol List.
Note that because ICMP has no port abstraction, to allow ICMP traffic, you select it directly from the New rule dropdown.

Port Range

For the TCP and UDP protocols, you can specify:

  • A single port.
  • A range of ports by entering the starting and ending ports separated by a dash - with no spaces, e.g.3000-4000.
  • All ports by leaving the field blank.

enter image description here
To open multiple non-sequential ports, create a separate rule for each.

Configuring Outbound Rules

Outbound rules define what kind of traffic will be allowed to leave the server on which ports and can be restricted to specific destinations. If no outbound rules are configured, no outbound traffic is permitted.

The Suggested Outbound Rules: Permit All Traffic

Many fundamental services rely on outbound communication. Utilities like ping require outbound ICMP. DNS lookups, VoIP and NTP all rely on outbound UDP. Tasks like data synchronization, package list updates, web requests and email require outbound TCP connections.

Because of this, the suggested outbound rules permit all traffic to any destination on any port. These defaults make it easier to set up a new server without introducing restrictions that could block expected functionality.

enter image description here

While these defaults are appropriate in most cases, when a server has been compromised, scripts may try to download more dangerous exploits from the Internet or to use the compromised server as a spam relay or DDoS control host. Restricting outbound traffic can mitigate the impact once an exploit has occurred. In order to comply with specific security policies or to reduce the impact in the event of a compromise, users may wish to alter these rules to restrict outbound traffic.

Creating New Outbound Rules

Creating Outbound rules is similar in most ways to creating inbound rules with one critical difference: since the suggested rules permit all types of traffic to leave the host, you must either edit or delete the suggested rules in order to restrict traffic.

For example, say you have a web application using a dedicated Postgres server that should only be allowed to connect to its web servers and you want to tightly restrict the outbound traffic. In a Cloud Firewall applied to the database, you might:

  1. Delete the ICMP rule to block all outgoing ICMP traffic. Outgoing pings and traceroutes will no longer work.
  2. Delete the TCP rule, then add a custom rule to block all ports except 5432 and restrict the destination to Droplets tagged "webheads." This will prevent all other TCP traffic, causing ordinary management tasks to fail. For example, the database server will no longer be able to fetch new packages or security updates from the Internet. This will also block DigitalOcean monitoring.
  3. Delete the UDP rule to block all UDP traffic. This will cause DNS lookups to fail.

Custom Outbound rule opening TCP, restricted to port 5432 and destinations tagged webheads.

Since DNS is a critical service for most hosts, depending on the use case, you might want to add the DNS presets:

enter image description here

Important: When more than one Firewall is applied to a Droplet, the rules are additive and cannot be restricted again with other rules. For example, if one Firewall used the suggested outgoing rules and the other applied rules in the example above, all outbound traffic would be permitted. See the Multiple Firewalls section for more detail.

Note: In order to block a single port, like SMTP, and allow all other outgoing traffic, we'd create two rules: One to allow ports 1-24 and another to allow 26-65535. Most users are likely to accept the suggested rules, however, and allow all outgoing traffic.

Applying a Cloud Firewall to Droplets

A Firewall's rules can be applied by adding individual Droplet names, tags, or a combination of the two in the "Apply to Droplets" field.

Note: While the Name and at least one rule is required to create a Firewall, you can leave the "Apply to Droplets" field blank, create the Firewall, and assign Droplets later.

Adding Individual Droplets

Up to ten individual Droplets can be added to a Firewall in the "Apply to Droplets" field. To add them, start typing the Droplet name, then press Enter or select it from the list:

Apply to Droplets with postgres-server selected

Note that you can also paste a Droplet's IP address which will look up its name and, after a brief pause, display it in the dropdown. Once the Droplet's name appears in the list you can press Enter or click the name to select it.

To add more Droplets once you've created the Firewall, click its name to return to its Rules page.

Apply to Droplets with postgres-server selected

From the Rules page, click Droplets:

Droplets page
With Cloud Firewalls, you can add some Droplets individually and others with tags.

Adding Tagged Droplets

Up to five tags can be added to a Firewall, and unlimited Droplets can be associated with a tag, allowing you to exceed the individual ten-Droplet limit. This is one of several advantages of organizing your Firewalls with Tags:

  • An unlimited number of Droplets can be associated with a Tag Since there is no limit to the number of Droplets that can be associated with a tag, using tags helps you scale with your infrastructure. You can learn more about how to use tags to facilitate scaling in the How to Organize Your DigitalOcean Cloud Firewalls guide.
  • Droplets can be tagged at creation. By creating a Droplet with a tag that is associated with a Firewall, the rules are in place from beginning Adding resources by tag means that once you've created a Firewall, most of the resource management will happen on the Droplets screen. You'll either tag Droplets when you create them or add tags to existing ones. See the article How To Tag DigitalOcean Droplets for more details.

Combining Multiple Firewalls

Droplets can be protected by more than one Cloud Firewall, and when they are, a union of the rules is applied. For example, if a firewall named default-fw implements the default suggested rules and another, called postgres-fw is configured to allow only incoming and outgoing traffic on port 5432, the union of the rules means that:

Inbound

  • SSH on port 22 is allowed from anywhere
  • TCP on 5432 is allowed only from webheads

Outbound

  • ALL ICMP, TCP, and UDP traffic is allowed.

The union of the rules also displays the custom outbound TCP rule, but the more permissive "All TCP" from all destinations overrides the restriction.

Postgres Server's Networking page

If the intention of the postgres-fw rules are to restrict outgoing traffic to port 5432, then removing the permissive default-fw and applying something more specific, such as an admin-fw that allows only incoming SSH might be more appropriate.

Postgres Server's Networking page with restricted rules

The same union applies to sources or destinations. If one rule allows TCP from any Source and another allows TCP from a restricted range, the union of the two means that TCP traffic is allowed from anywhere. The guide How to Organize Your DigitalOcean Cloud Firewalls provides detailed guidance on how to use multiple Firewalls to make your security strategy more explicit and flexible.

Managing Existing Firewalls

In this section, we'll look at three key components managing existing Firewalls:

  • How to add, edit, and delete rules for an existing Firewall
  • How to see which Droplets are protected by an individual Firewall
  • How to see the Firewalls and Firewall rules being applied to a specific Droplet

Adding, Editing or Deleting a Firewall's Rules

To manage existing Firewalls, navigate from Networking to Firewalls and click the Firewall's name. You'll arrive on its Rules tab. From here you can add a new rule under the "New rule" option.

Existing rules

To edit or delete a rule, use its "More menu:"

Edit and delete rules with their More menu

Viewing the Droplets Protected by a Firewall

To see what Droplets are protected by the Firewall, visit the Firewall's "Droplets" tab. Where Droplets have been added individually, they're shown on their own line. When they've been added because of a tag, they're are shown below the tag:

Screenshot with a Droplet added individually and as via tag

Removing Droplets or Tags from a Firewall

To remove a Droplet or tag from a Firewall, use its More menu:

Remove link

From the Firewall's Droplet you can see which Droplets are affected by the Firewall you're viewing. To see all the rules affecting a specific Droplet, you'll need to view the individual Droplet's Networking page.

Viewing the Rules Applied to a Droplet

To see what rules are applied to a Droplet, click the Droplet's name, then visit its Networking page which is linked in the left-hand menu.

You will see one of three states.

When no Firewalls have been applied, the page displays a message and provides a "Manage Firewalls" button:
enter image description here

The button leads directly to the Firewalls overview page where you can create a new Firewall or edit existing ones.

When one Firewall has been applied, its name will appear below the Firewall section header, followed by its rules:
The Rules of a Single Cloud Firewall

Click the Firewall's name to manage its rules.

When multiple Firewalls have been applied, the name of each Firewall appears under the Firewalls header, and the union of all rules is displayed:
The Rules of Multiple Cloud Firewalls

Note: If two Firewalls contain identical rules, only one will appear in the table. If you remove the rule from one Firewall, the rule will continue to be displayed while it is applied by another Firewall.

To return to a specific Firewall's Rules page, click its name.

Where to Go From Here

In this article, we provided an overview of how to use the DigitalOcean Control Panel to manage Cloud Firewalls. For more information on securing your DigitalOcean infrastructure with Cloud Firewalls, see one of these guides:

66 Comments

Creative Commons License