DO Ideas 2

Cloud firewall

firewall service in the cloud with nice interface so no need to install extra software on Droplet.

  • Mac
  • Sep 11 2018
  • Shipped
  • Sep 11, 2018

    Admin Response

    Hello everybody. It took some time but we are extremely happy to announce the launch of Cloud Firewalls, an easy way to protect your Droplets. It's available on all regions today and it's free. Please read more details on the link bellow: https://blog.digitalocean.com/cloud-firewalls-secure-droplets-by-default/ Thanks a lot for sending us feedback and feature requests. Stay tuned for more security related news in the future. Best regards Rafael
  • Attach files
  • Mostafa commented
    September 11, 2018 20:04

    Thanks a lot.

  • Levani commented
    September 11, 2018 20:04

    The ability to manage firewall in a simple interface we love DO for would be amazing!

  • Anonymous commented
    September 11, 2018 20:04

    4 years later... Nothing. Thanks Digital Ocean :)

  • Mike commented
    September 11, 2018 20:04

    High-volume sites could really benefit from a PFsense droplet or hardware firewall that we could manage.

  • Nathan Youngman commented
    September 11, 2018 20:04

    I'd really like Droplets to be secure by default. The way Google Compute Engine uses Projects that need ports opened or the way AWS has VPC by default. As a server newb, the need to configure iptables and all that is a deterrent.

  • Adam commented
    September 11, 2018 20:04

    Do we still have no update on this? Any comment at all?

  • Mark commented
    September 11, 2018 20:04

    It would be great to have a firewall option that can be configured by us to route traffic, block traffic, etc.

    That way if a server is getting hit by the same IP, I can point it to a black hole.

  • Clément Salaün commented
    September 11, 2018 20:04

    Any news on this? All my votes go here, as many people said something like security groups would be awesome. Scaleway is doing it by the way.

  • qmarlats commented
    September 11, 2018 20:04

    +1, it would be awesome to protect droplet before requests reach it. (Useful to prevent to lock ourself from droplet too ^^ )

  • Mark commented
    September 11, 2018 20:04

    Would be nice to put a firewall before the server like some hosting companies do where we can select which ports ingress and egress are allowed and also be able to list IP's that are good/bad.

  • Martin Charlesworth commented
    September 11, 2018 20:04

    I've been faced with the same problem and I'm building something to help with not just the firewalls/security groups but making securing droplets much easier for devs. Check out lockdown.io.

  • David Reagan commented
    September 11, 2018 20:04

    If I were to implement this myself, here's the features I'd want.

    Each firewall would come with a predefined set of internal ip addresses. Say, 250 to start out with, more can be added if needed. The addresses would be internal to the data center, so all traffic inside the firewall should not count against bandwidth. Just like the current private NIC feature.

    Inside the firewall I could define my own custom DMZ's if I need to. As in control port access between internal droplets.

    If my server needs an actual public ip address, we'd have the normal NAT features for that. One per droplet as normal.

    To make it easy to give users as many internal ip addresses as they need, I'd use IPv6. And I'd likely do the same for external ip's as well.

    Hopefully IPv6 would make the only cost be actual server resources. So, whatever the cost of running the firewall, plus each droplet. Hopefully ip addresses would be 0 cents or at least really really cheap.

    And, of course, easy control of ports and the ability to create rulesets.

    The end result would be effectively a could based data center.

  • MNDDE commented
    September 11, 2018 20:04

    This would be really great!

  • Anonymous commented
    September 11, 2018 20:04

    Any feedback regarding this yet?

  • Anonymous commented
    September 11, 2018 20:04

    Is there any possibility to define a security policy for a droplet and prevent access from specific places?

  • Misha commented
    September 11, 2018 20:04

    Security Groups would be nice.

  • Michael Hicks commented
    September 11, 2018 20:04

    I've been using DO on and off for over a year now, but lack of this feature is why I continue to handle my important production deployments at AWS despite the price premium.

  • Mostafa commented
    September 11, 2018 20:04

    Classic port opening and classing is sure awesome and the essential firewall, but now that you support CoreOS so well you might consider CoreOS users too: For CoreOS an extra firewall for opening ports is not that necessary, because ports are exposed using Docker. What’s more essential is ensuring private network access is limited to a cluster.

  • Anthony Oliver commented
    September 11, 2018 20:04

    Agreed, definitely needed. And one of the main reasons we haven't completely moved from AWS to DO. If I have 10 nodes I don't want to have to touch 10 of them to expose a port, or N nodes for that matter, it would be nice to be rolled up into a group like AWS.

  • Stefano Fratini commented
    September 11, 2018 20:04

    Hello DO, any update on this?
    It's been planned for 2 years now...

    The key advantage of the AWS security groups is not that you have a web interface to IPTables but that you can define group of servers that belong to the same security group and establish rules among different security groups

    This makes cloud deployments way easier as the IP address of a specific machine doesn't matter any more, only the security group(s) the machine is assigned to

    Thank you!

  • Anonymous commented
    September 11, 2018 20:04

    I came from AWS and Loving the droplet system , To my horror,Firewall Security Group which i use to disable unneeded ports isn't there in droplet . i am struggling with manual commands in OS.

    This is a Must have Feature , After all security is what's needed for our servers.

  • Anonymous commented
    September 11, 2018 20:04

    With the added option to activate best practice firewall rules from a pre-defined list.So also dummy users will like it.

  • Thomas Fritz commented
    September 11, 2018 20:04

    If you go the AWS Security Groups way, please make the rules additive and editable while the droplet is running and make the rules active without the need to restart the droplets.

  • Adam commented
    September 11, 2018 20:04

    Absolutely need something like this, AWS Security Groups was the perfect implementation for me.

  • Denis commented
    September 11, 2018 20:04

    Guys, you need something like Amazon's AWS Security Groups. Simple filters for IP/port to easily setup any remote access.

  • Rostislav Mykhajliw commented
    September 11, 2018 20:04

    Honestly, a nice configuration for iptables/ipfw will be great!
    For example having a iptables installed in default-images + daemon for management through API and web

  • James Smith commented
    September 11, 2018 20:04

    iptables can't do easily this:

    Problem: if we set up a replicated database and a cluster of web servers, then the firewall on the database must be set to allow each individual web server address. If we add new servers on high load, the database firewall has to be reconfigured for each server!

    Solution: (too much work): set up a VPN
    Solution: (much better): have a 'security group' named web, and allow database access only from this group.

    So for multi-server deployments, having a cloud firewall saves a HUGE amount of effort.

    Please launch API access first, and add it to your control panel as and when you have time.

  • TJH commented
    September 11, 2018 20:04

    Definitely want a separate firewall front-end, like Amazon's Security Groups which gives users an easy front-end to create their own firewall rules to their centrally managed firewalls. Attacks against your server would be intercepted before it got to your Droplet and handled by Digital Ocean experts. IP tables and Windows Firewall is good, but I would never expose a Linux or Windows server directly to the Internet again. I did it once with Linux (years ago) and a hacker was able to exploit and install a root kit. Network security requires layers. Some providers give an option of having a separate Cisco firewall for your cloud instance -- I hate that idea as it is expensive and it does not come with central monitoring.

  • Ricardo Falasca commented
    September 11, 2018 20:04

    Some news about firewall?

  • Matthew Ho commented
    September 11, 2018 20:04

    will it help using the CloudFlare and/or its pay service?

  • Anonymous commented
    September 11, 2018 20:04

    I question your judgement regarding DNS being on your roadmap prioritized before firewall / security groups and internal networking and routing among servers. DNS is available everywhere and is trivial to implement. Having a good firewall and secure, isolated mechanism for networking servers internally is prerequisite for any installation. This was actually a deal-breaker for me and I will continue using Amazon for the time being. I will keep my eye out as you provide an excellent value proposition.

    Good luck!

  • Gustavo Gawryszewski commented
    September 11, 2018 20:04

    Security groups would be great

  • Ben Firshman commented
    September 11, 2018 20:04

    My vote is for something approximating security groups!

  • Anonymous commented
    September 11, 2018 20:04

    Please provide us a firewall and a DDoS protection. My droplet is under attack and is generating a traffic about 500 kbps.
    We need this traffic droped before the droplet. Iptables isn't the best option :(

  • Josh commented
    September 11, 2018 20:04

    I'd like to see something like Amazon's security groups if possible.

  • Matt Stanton commented
    September 11, 2018 20:04

    It might make the most sense to create a "firewall image"... maybe something like pfSense... and then roll it out after implementing VLANing and internal IP addresses. It could run comfortably on a small VM and would allow a person to use it between their other VPSs and the rest of the internet.

  • Moisey Uretsky commented
    September 11, 2018 20:04

    Managed firewall is a bit tricky and needs to be discussed further because Linux provides great firewall management tools out of the box.

    If you want something more complex like SQL injection protection that really isn't a traditional firewall.

  • Kaidesa commented
    September 11, 2018 20:04

    SQL injection and XSS attacks are done on sites based on the code quality (or lack thereof) of the site alone. There's no way they could make some magical protection layer for that.

    That being said, a firewall offering prior to data hitting our droplets would be nice. It isn't exactly necessary, but I definitely wouldn't mind seeing it.

  • Honda commented
    September 11, 2018 20:04

    Not only a basic firewall but also a security wall against sql ingection, xss... (maybe I'm thinking too big...)

  • Ferenc Szalkai commented
    September 11, 2018 20:04

    Installing a control panel based firewall rule generator does not take too much disk space. I think Webmin is easy to use and install on any droplet. Maybe it is also a good way, if D.O. includes it in the default images. But... anyway, if someone has a minimal experience with Linux, it should not mean any problem. BTW, Webmin also has a large set of tools, which can help sysadmins.

  • Honda commented
    September 11, 2018 20:04

    Firewall yep!

  • Moisey Uretsky commented
    September 11, 2018 20:04

    We've updated this request to just reflect Cloud Firewall because DNS has been launched.

    Please up-vote if you are interested in a cloud firewall service through the control panel!

    Thanks

  • Ben Daniel commented
    September 11, 2018 20:04

    For firewall: I'd like to see groups for host IPs (both external host groups and internal host groups) which can be used to assign rules to groups instead of directly on host IPs. (For instance, allow FTP from my house and my brother's house to a predefined subgroup of my internal hosts)

    so inbound rule flow could be applied like
    external host group -> rule (or rule group!) -> internal host group

    Groups of rules would be cool (allow ssh, ftp, etc. all at once) but probably not necessary right off the bat.

    And don't forget IPv6 or the fact that some droplet hosts can have more than one IP on them :)

  • Moisey Uretsky commented
    September 11, 2018 20:04

    Thanks for the kind words guys, if there are particular features and/or functionality that you are looking for in terms of Firewall please let us know as it will help us develop our product roadmap.

    Thanks,
    Moisey
    DigitalOcean

  • Ben Daniel commented
    September 11, 2018 20:04

    If you implement a control-panel based firewall, I will move all of my hosting to you that very day - I'm so far very impressed by the speed at which you appear to be growing and as well funded as you *appear* to be... you may unseat Linode at this pace :)

  • Kris Forbes commented
    September 11, 2018 20:04

    I agree, I've found AWS's "Security Groups" good. A firewall for droplets that lets us apply port-based policies to droplets to allow only certain ports would be useful.

  • Moisey Uretsky commented
    September 11, 2018 20:04

    DNS is on our roadmap.

    We're working one large feature first that's going to make it even easier to deploy code, then we're going to start on DNS management through our interface.

    The firewall sounds interesting and we're going to add it our backlog and begin discussions on that.