
Cloud Firewalls - AYBABTME
https://www.digitalocean.com/products/cloud-firewalls/
======
manacit
Features like this feel like table stakes for cloud hosting in 2017, so it's
nice to see DigitalOcean on board.

It'll be interesting to see what the tooling support looks like for this, it
looks like it's launching with API support day one:
[https://developers.digitalocean.com/documentation/v2/](https://developers.digitalocean.com/documentation/v2/)
which is great. It looks like they're already working to get it into
Terraform:
[https://github.com/hashicorp/terraform/pull/15121](https://github.com/hashicorp/terraform/pull/15121)
which is fantastic!

I look forward to the day that I can automatically spin up a DigitalOcean set
of Droplets running Kubernetes using this.

~~~
tyingq
>I look forward to the day that I can automatically spin up a DigitalOcean set
of Droplets running Kubernetes using this

Stackpoint.io can do this, you paste your DO API key and get a k8s cluster in
a few minutes. Would be nice if DO built something like that in-house.

~~~
skrebbel
> Would be nice if DO built something like that in-house.

Curious, why? Isn't it much nicer to keep that separate from DO so that you
can move away from DO easily should there be a reason to?

I'm not sure if I'm weird this way, but one main reason we use DO and not,
say, AWS is because we're afraid of vendor lock-in. The more we depend on
specialized services, the harder it gets to move somewhere. I wonder whether
this is a common sentiment in 2017 or whether I'm just old-fashioned.

~~~
tyingq
Hosted K8s isn't much lock-in...you could move to GKE or Azure.

------
throwasehasdwi
Isn't this just doing the same exact thing as iptables only worse since it's
not transparent to the operating system?

I've created bad firewall rules by mistake many times and enforcing them
transparently so the machines can't see them makes the issue almost impossible
to debug and fix.

Of course I have the same gripe with AWS VPC setups I guess... I just think
it's funny how the cloud keeps reinventing cloud versions of things that
perform objectively worse than the original, but then everyone still uses them
out of pure convenience or stupidity.

~~~
NetStrikeForce
Most people don't need anything more complex than this for their firewall
needs, so iptables is overkill.

Not only that, but iptables is just terrible to use and it just makes you want
to kill yourself.

I've deployed a pretty standard policy now in DO with a couple of clicks,
works as expected.

(And before anyone jumps, you should be using a host firewall too; defence in
depth)

~~~
egeozcan
> Not only that, but iptables is just terrible to use and it just makes you
> want to kill yourself.

I can't agree more. Luckily though, if you have some setup scripts that you
reuse, you don't have to think about iptables... Until the moment that you
need to make this harmless quick change that shouldn't cause any problems and
you end up locking yourself out of the server somehow.

------
chays
Finally I can block all SSH access by default and only open up to 1 IP address
on demand then remove when finished. No jump hosts required.

------
malux85
DigitalOcean is killing it against Linode - I just migrated my last services
off Linode because you still cannot attach arbitrary sized disks to your
instances, something they've been promising as arriving "soon" for months. Go
DO!

~~~
lovehashbrowns
Am I the only one who has constant issues with VMs in Linode? I feel like that
platform is the worst out of all the ones I've tried so far. Unfortunately,
our company is stuck with it for now. :(

~~~
IFeelOK
Disclaimer: I work there.

What kind of issues are you running into? There's a lot of issues that can
happen on a server, but a lot of them are due to not enough resources or a
misconfiguration.

Now, if your server is seeing constant issues on the host your server is on...

~~~
lovehashbrowns
The emails we get are generally ones saying it was an issue affecting the
physical hardware that the VM is hosted on, yeah. :( I tend to just ignore
them now though, lol. There are only a few VMs there that are absolutely
critical. Everything else is configured for HA.

~~~
IFeelOK
That's no good, I'd like to take a look and see what's happened - having
multiple hardware issues isn't necessarily normal. If you have time, please
shoot a ticket our way. Mention that you spoke to Soh on Ycombinator and that
I requested this ticket to be opened so we can seek out any solutions.

------
jimaek
Once they double the RAM on all plans like Linode and Vultr did, I will move
all of my servers back to DigitalOcean.

I love these features but double the RAM for the same price still outweighs
them.

~~~
halfeatenpie
Vultr has the cheaper side down I will admit, but their network hasn't been to
great for me. It's great for development work but for production-level stuff I
wouldn't put anything on it.

Linode is like that old king on the block. They've had security issues in the
past (multiple) and since they do store your credit card information those did
get released (If I recall). They're decent and they work. They're a bit slower
than the other two in my opinion, but they work and that's something I need.

DigitalOcean has been fairly solid and reliable. Yeah you can say you get more
resources for how much you spend elsewhere, but DigitalOcean has been more
reliable and solid than Vultr. I mean I remember opening support tickets with
them and their response being "We took care of someone else on that node. Go
ahead." Took me a solid 2 hours just to install a Ubuntu image on one of their
(Vultr's) storage nodes. DigitalOcean has never had to give those kinds of
responses to me and overall performance and the composition of their nodes has
been fairly solid and reliable.

Yeah Vultr and Linode are cheaper and you get more, but I really feel
DigitalOcean is solid and more reliable than Vultr. I mean Vultr's SLA is 100%
uptime, but their credit return policy is to the effects of "we'll just give
you your cheap money back". I don't care about credits and I just want my
service online and not having to worry about anything, and most of Vultr's
answers has usually been "wait" or "we did it" (but no real long-term solution
to the problem). DO has been focusing on providing long-term solutions to
problems I've had and no "bs" excuses. Linode has been solid as well, but
don't have many of the features DO is starting to roll out with (which fair
enough, it's their decision). DO has nothing but praise from me.

~~~
jazoom
Vultr has been rock solid for me for years in the Sydney region.

------
jbrooksuk
Really all we (the company I work for) need now is Block Storage in LON1!

~~~
ino
We need it for ams3

~~~
McBlorker
We published the roll-out schedule for Block Storage a little while back. Both
LON1 and AMS3 are planned for this year: [https://blog.digitalocean.com/block-
storage-comes-to-singapo...](https://blog.digitalocean.com/block-storage-
comes-to-singapore/)

~~~
ino
sweet. Is it possible to enable backups on block storage?

~~~
mike_j
You can backup the volume via snapshots.

------
the_common_man
Can someone clarify if the traffic between two droplets is "secure" i.e other
droplets cannot see them? On AWS, I can create a VPC and put two ec2 instances
on that.

~~~
vultour
I'm not expert on hypervisors but is what you're saying even possible? One
would think that dispatching the correct packets to the correct VM would be an
integral part of the virtualization environment.

~~~
majewsky
Not an expert either, but afaik customer isolation is quite easy when you put
each customer on their own VLAN (or similar) and remove the VLAN tag only
after the packet has reached the virtual NIC of the customer's VM.

------
tyingq
They seem to be headed towards being an "AWS light". Would be nice to be have
an alternative with reasonable egress costs. Still a long way to go though. At
a minimum, they would need a more configurable load balancer and some S3 type
function.

~~~
Tostino
I would be extremely happy with DO if they put out an S3 competitor. Right
now, most of my servers are on DO, the only things I need AWS for is a single
windows server to run some windows only software, and S3 to store my database
backups.

~~~
dsugarman
it's always smart to store your backups on another service anyway for any
doomsday scenarios

~~~
stevekemp
And to double the single-points of failure? Now your "stuff" is only alive if
both the virtual machine(s) are up, and the object-store is accessible!

~~~
Tostino
What do you mean? It's not like if your object store becomes unavailable your
database sending it's backups there will suddenly stop working.

~~~
stevekemp
Indeed, but if you're hosting user-images on S3 and they go away your site is
broken.

That might not be a big deal, or it might mean your site is 100% broken. I
can't guess, but I'd assume since you went to the effort to setup a store you
need it in some way.

(No backups? Of a database? That's one power-cut, or hardware failure away
from complete data loss too!)

------
nodesocket
So awesome. It made me giggy today to remove all droplet level iptables rules
and convert them to network level Cloud Firewall rules.

Love how DigitalOcean allows you to specify droplets as sources, groups of
droplets (tags) as sources, or CIDR ranges.

~~~
Narkov
How do you prevent one compromised host spreading to the rest of your hosts?
Shouldn't this be an added level of security rather than a replacement?

------
thomasruns
Is there a way to upload a list of ip addresses instead of having to paste,
remove focus, re-focus over and over? I use cloud9 IDE and just for 1 region
there are 90 possible IPs that they could be using to ssh into my DO box.

------
blfr
I know this is not strictly related but how well does Digital Ocean hold under
a DDoS nowadays? Are they closer to Hetzner who just blackholes your IP or OVH
who can withstand virtually anything?

~~~
always_good
In my experience last year, Digital Ocean blackholes you for 24 hours, during
which they don't answer support tickets.

In other words, you can take down any Digital Ocean site for 24 hours after
paying $1 to a booter unless they are behind CloudFlare or some other
mitigation.

~~~
rgrove
DigitalOcean automatically blackholed one of my droplets due to a DDoS attack
last year. They notified me immediately via email and a human responded to my
support ticket within 30 minutes with technical details.

I was able to provision a new droplet right away, so the downtime was minimal.
I think the way DigitalOcean handled the incident was perfectly reasonable,
and was a much better experience than I've had with other cloud providers in
the past.

------
daxorid
It's not clear what this offers over the usual iptables/firewalld + ansible
solution. What am I missing?

~~~
genpage
Disclaimer: DO Support here

The traffic is blocked/allowed at our network layer before being routed to the
droplet. The rules are easily configurable through the control panel and API.
You can also specify Droplets (individual or tagged) and our recently new Load
Balancers as the targets.

You can also layer multiple firewalls on top of one another if you want to
apply specific firewall rules to only a specific set of Droplets/LBs

The Intro tutorial we have is great for details:
[https://www.digitalocean.com/community/tutorials/an-
introduc...](https://www.digitalocean.com/community/tutorials/an-introduction-
to-digitalocean-cloud-firewalls)

Feel free to reach out to us if you have any more specific questions. :)

~~~
peterwwillis
How many firewalls can a single user create, and how many rules can be in each
firewall? How is the order of multiple firewalls applied to the same droplet
determined? Where is there logging to show when a rule matched? Is there any
future plan to support REJECTing packets rather than only DROPing? Will the
user interface warn the user when they are about to block all traffic
(including ssh) to a droplet?

~~~
beardicus
(DO employee here)

The intro article answers many of these questions (and more):
[https://www.digitalocean.com/community/tutorials/an-
introduc...](https://www.digitalocean.com/community/tutorials/an-introduction-
to-digitalocean-cloud-firewalls)

> How many firewalls can a single user create, and how many rules can be in
> each firewall?

100 firewalls, 50 rules per firewall

> How is the order of multiple firewalls applied to the same droplet
> determined?

The rules are all added together and applied at the same priority. Order
doesn't matter.

> Where is there logging to show when a rule matched?

No logging is available.

> Is there any future plan to support REJECTing packets rather than only
> DROPing?

No plans for this.

> Will the user interface warn the user when they are about to block all
> traffic (including ssh) to a droplet?

There are no footgun warnings, no.

Let me know if you have more questions... thanks!

~~~
peterwwillis
Just checking if I have this right...

> The rules are all added together and applied at the same priority. Order
> doesn't matter.

If I make several firewalls, and the order of the rules when mixed results in
unexpected traffic flows compared to the firewalls being applied individually,
I have a bug that is hard to see, only experience during traffic as "timeout"
or "not a timeout", and because of a lack of logging, no way to troubleshoot
other than rewriting all the firewalls to try to remove any possibility of
conflict, or writing whole new firewalls.

If I understood correctly, it's basically unsafe to mix more than one firewall
per droplet, and in general a pain to troubleshoot. This is in contrast to
iptables, where you can have multiple tables and chains, they follow a
prescribed order, and you can mix and match them with expected results. Not to
mention you can add logging whenever you need it.

~~~
beardicus
It's possible you're assuming the firewalls have more rule types than they
actually do. Basically these firewalls default to dropping all packets, and
any rules you add are to accept a port or port range. Adding such rules
together is simple and doesn't depend on order.

~~~
peterwwillis
Oh... I hadn't quite grasped the limitations. So these "firewalls" are
basically two chains with a drop policy and rules with ACCEPT jump targets,
and either a source or destination. This seems to be a port whitelist rather
than a firewall.

It does seem that if you create one single firewall per role, this is a simple
and effective means of applying really basic port access rules to a large
number of droplets at once. But by calling it a "firewall", people actually
believe it replaces a real modern firewall and have actually dropped real
firewalls from their droplets, making overall security worse. Not to mention
the many ways you could accidentally open up or restrict more than you wanted
to.

Maybe I missed something again. It says your firewalls are stateful. Are the
input rule targets really "NEW,ESTABLISHED" and the output rule targets really
"ESTABLISHED,RELATED" ? If they are doing connection tracking and verifying
the 3way handshake before passing on the connection, I suppose this is useful
to prevent syn floods that don't complete a handshake. I'd be interested to
know what actual protection these firewalls give other than port whitelisting.
(And yes, I see a generic icmp type is included as well as tcp & udp)

~~~
beardicus
The firewalls are stateful, with connection tracking.

------
aphextron
This just made my day. Running apps on FreeBSD is awesome, but dealing with
IPFW config is a nightmare.

------
xchaotic
I'm trying to explain what these are to my grandmother. Any car analogies? ;)

~~~
riffic
A firewall is named for the structure in an automobile which keeps engine
compartment fires out of the passenger cabin.

[https://en.wikipedia.org/wiki/Firewall_(engine)](https://en.wikipedia.org/wiki/Firewall_\(engine\))

~~~
redbeard0x0a
On top of it, there are holes (ports) in the firewall to let various wires
through. It would also keep road grime, rocks, etc that might be kicked up
from entering the passenger compartment.

