DO Ideas 2

Allow separate firewalls to be applied to a droplets private and public interfaces

The type of traffic I'd like to allow to my private interfaces (e.g., SSH between droplets and my home pc via a vpn) is different than the traffic I'd like to allow to my public interfaces (pretty much just http/https).

This seems like a simple feature add that would enable much tighter security profiles to be created.

Obviously, I can (and should) still set up host firewalls on the droplets themselves, but it's always better to have an external firewall in addition to a host firewall. Plus, if DO's answer is to just do it on the droplet, then why offer a firewall feature?

  • Rob
  • Sep 11 2018
  • Shipped
  • Sep 11, 2018

    Admin Response

    Hello Rob, A lot of this can be accomplished right now by using the source property of Cloud Firewalls. For example, if you want to implement the rule you mention, "SSH only from my home and other droplets", you can create a rule for SSH only allowing source <YOUR HOME FIXED IP ADDRESS> and the private network IP range of the droplets, for example 10.137.0.0/16 if they are hosted in TOR1, or specific private IPs, if you want to be even more restrictive. In the future, with the private networks improvements we are working on, this kind of rule will become simpler and allow for smaller ranges, allowing stricter restrictions for larger deployments. You can also split your rules in separate firewalls, for example one called Admin and another called Web, splitting the types of rules in each, and apply both to the droplets. We will combine the rules from both for you. We wrote some tutorials that you might find helpful, like the one below: https://www.digitalocean.com/community/tutorials/how-to-organize-digitalocean-cloud-firewalls I hope this will deliver the functionality you are hoping for. Cheers
  • Attach files