Is Linode firewall as 'good' as UFW in Ubuntu 22.04?
I'm doing the planning for a new Ubuntu 22.04 production server… this one will be dedicated (only cost a few bucks more a month.)
Simple question… and all I need is a simple answer.
Is the Linode server firewall as good as the UFW firewall? (I just use standard settings… incoming only… I can't think of a need for outgoing rules.)
22/tcp ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
Apache Full ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
I would think the Linode service is just as good, but over the past few years I've learned to listen to stevewi and a several others here on how to admin a server.
Thanks.
5 Replies
ufw is a "friendly front-end" to iptables…the actual firewall. If you at the firewall rules using
sudo iptables -L -n
you'll see a whole bunch of stuff with the prefix ufw-. These are the rules ufw creates/manages for you.
You don't need ufw to make iptables work for you… Even when I was an Ubuntu user, I never used it:
- I don't trust "friendly front-ends" to do the right thing;
- some of my rules were very complex and used dynamic tables (ipsets) which ufw couldn't deal with; and
- rule order mattered to me and ufw couldn't absolutely guarantee that.
What are these?
Apache Full ALLOW Anywhere
Apache Full (v6) ALLOW Anywhere (v6)
The Linode Cloud firewall is not nearly as sophisticated as iptables. It cannot handle dynamic tables and the only programmatic access is using the Linode API.
Ideally, you would use both the Cloud firewall and iptables in some combination.
-- sw
The real drawback is that the Cloud firewall affects all the Linodes in your account so if one Linode modifies it, the modifications are for your whole account.
I don't believe this is the case. Unless the cloud firewall has changed, you have to choose which Linode to use a specific firewall, or set of rules, with. I have created a preliminary firewall that I would use if the cloud firewall was accessible for screen reader use, it isn't at the moment. The firewall sits in my account and does nothing, since I've not added it to any Linodes.
From what I know of iptables and the Linode cloud firewall, if you're only using a firewall for basic use and you don't require dynamic tables, traffic counters, specific server logging of certain rules, or other more complex firewall configurations, the Linode cloud firewall and iptables should be identical. The only difference in basic use that I could see, is that with iptables running on your individual server, any packet filtering and other load that the firewall might place on a system, will be on your server. With the cloud firewall, that will be handed off to Linode, and your VPS won't have to process the data that a firewall would.
Good luck.
Blake
"What are these?
Apache Full ALLOW Anywhere
Apache Full (v6) ALLOW Anywhere (v6)"
Just some port based iptables/ip6tables rules as you already know but they have --comments in the rules for Apache in this case. ufw allow ssh would make some port 22 rules with a comment in them. These comments also show in the ufw logs. I think that's about it.
And as you mentioned it's certainly better to learn iptables or nftables directly and for something intended to be run in production one would want to test their rules regardless of what firewall or front end they use anyways since it can be misconfigured or misunderstood by the admin. This is happens quite often. Especially if someone is doing forwarding or using Docker since it bypasses most of the common ufw/INPUT rules in online "guides"