Linode Cloud Firewall and ufw?
I installed ufw and created a firewall for my Ubuntu 20 server.
Is there any advantage to deleting it (or leaving it) and creating a Linode Cloud Firewall from the manager panel?
Thanks.
5 Replies
@acanton77 writes:
I installed ufw and created a firewall for my Ubuntu 20 server.
Is there any advantage to deleting it (or leaving it) and creating a Linode Cloud Firewall from the manager panel?
For a lot of (simple) cases the Linode cloud firewall is going to be extremely useful. However, it's extremely limited in what it can do:
- It only manages certain protocols (and by inference the standard ports for those protocols). What if you want to block a protocol that doesn't have a template (like samba…or imap/imaps)…or you have ssh(1) serving port 2222 instead of 22? You are going to be out of luck…
- You can't do rate-limiting. In my firewall, I have http/https rate-limited (100 connections/min with a burst rate of 400 connections/min)…with rejection of limit violations. You can't do that with the cloud firewall (of course, you can't do that with ufw either…well, technically you can but you have to modify the iptables(8) rules that ufw generates -- see: http://blog.lavoie.sl/2012/09/protect-webserver-against-dos-attacks.html).
- No support for something like ipset (of course, ipsets live on your Linode and the cloud firewall can't look inside it…the cloud firewall operates outside your Linode). Still, it would be very nice to be able to have the src or dst of a rule be a list of addresses/networks…not just limited to a single address/network.
- No support for logging. I'm sure there's a log but there's no way to view it (that I could see).
I'd stick with ufw…or, better yet, learn how iptables(8) works and ditch ufw too.
-- sw
What if you want to block a protocol that doesn't have a template (like samba…or imap/imaps)…or you have ssh(1) serving port 2222 instead of 22?
That’s easy to do - choose the protocol as TCP, port as “custom” and then enter 2222 as the port number.
You can also enter multiple ports like “22,465,587” or a range like “22000-23000”.
That said, I think there are some additional templates I’m surprised aren’t there - like SMTP.
The only other limitation I’ve found is that you can’t specify both source and destination in inbound rules. For example, I might want to open HTTPS to public, but not to the private IP.
To answer the original question, I think there’s a case for using both (multi-layer security.) Use the Linode cloud firewall to implement the simple blocks (like blocking off ports) and ufw for the more fine-grained rules.
@andysh writes:
The only other limitation I’ve found is that you can’t specify both source and destination in inbound rules. For example, I might want to open HTTPS to public, but not to the private IP.
I have a rules-based, mail-filing app that runs as part of mail delivery that uses imap (port 143…not imaps, port 993). I have an INPUT rule for both IPv4 and IPv6 that blocks ALL imap traffic unless the src and dst are both localhost (imap is a favorite target of spammers).
-- sw
I have an INPUT rule for both IPv4 and IPv6 that blocks ALL imap traffic unless the src and dst are both localhost (imap is a favorite target of spammers).
Yeah exactly - so if you used the Linode Cloud Firewall, you'd have a default action of "deny" on the input, and don't create any rules that allow traffic to 143 or 993.
This was my point about multi-layer security; you could still have your ufw rule in place, but now the Linode firewall will stop any IMAP traffic reaching from outside of your Linode, and your ufw rules then allow more fine-grained control of the traffic that does make it to your Linode.
