I'm a big fan of cloud management solutions where the tools "just work" with minimal configuration. Especially when it comes to deploying Linux servers, DigitalOcean's set of solutions is fantastic. I'd written earlier about how to start up a Linux server in just 5 minutes. You just need to choose the hardware configuration, and the instance is spun up in just a few seconds with the root password being e-mailed to you immediately.
Amongst the many set up tasks a Linux admin needs to perform, one of the most important is the creation of a proper firewall. I've already written about using csf as a comprehensive firewall solution for Linux, and it's still an extremely comprehensive solution that allows for complex rules and configurations. However, sometimes you just want to get up and running as soon as possible with basic firewall rules. Let's face it - the overwhelmingly large number of admins just want a basic lockdown of their Linux server.
Yesterday, DigitalOcean introduced their new "Cloud Firewall" solutions. A free service for all existing droplet users, it allows for the easy creation and attachment of firewalls to different droplets. This is great for those who manage a large number of servers at the same time and have similar firewalls on each of them. You can update an entire cluster of servers that share the same firewall by making changes in just one place. Let's take a look at how it works.
Creating a New Cloud Firewall with DigitalOcean
Setting up a cloud firewall is remarkably easy. Just login to your DigitalOcean account and select the "Network" link at the top, and then click Firewalls tab on the resulting page like this:
Then scroll down and create the first firewall by clicking the blue "Create Firewall" button:
After giving your firewall a name, you will see that there are already a few default rules configured. The first incoming rule is SSH, which allows incoming traffic to port 22. This is the default SSH port, though I recommend you change it to something else.
The default outgoing rules permit everything. Unlike incoming connections, we can be much more lax with outgoing traffic. If you're using your Linux droplet as a web server, you should also configure it to allow incoming HTTP and HTTPS traffic. Click the "New rule" drop down box and select one of the options. Based on what you select, the ports are automatically chosen.
Once you're done with your changes, scroll down and choose which droplets you want to apply this firewall to. You can also apply it to entire tags if you wish.
Then click "Create Firewall" and you're done! The new rules will now be immediately applied to your selected droplets.
Allowing SSH from another Port
If however, you access SSH from a port other than "22", you'll find that you're unable to connect:
Moreover, the cloud firewall with DigitalOcean doesn't allow you to change the port for the preset "SSH" entry.
So what we need to do is create a custom rule instead. Under "New rule" as above, select "Custom". Since SSH uses the TCP protocol, simply select "TCP" from the protocol dropdown and enter the port you use to connect via SSH. Now save your changes and you should then be able to connect through the firewall to via SSH using your preferred port.
The cloud firewall from DigitalOcean has a few limitations. Not more than 50 total rules, and not more than 10 droplets for each firewall. However, there's no limit on how many droplets you can assign to a tag, so you can bypass the 10 droplet limit in that way. But you can't assign more than 5 tags to any given firewall.
Keeping these broad limitations in mind, the cloud firewall is a superb idea for management of droplet security. It's easy to set up, can be taken down and applied flexibly to multiple instances at once, and presents a nice clean interface for what traditionally, can be a pretty messy set up!