Hello everybody.
It took some time but we are extremely happy to announce the launch of Cloud Firewalls, an easy way to protect your Droplets. It's available on all regions today and it's free. Please read more details on the link bellow:
https://blog.digitalocean.com/cloud-firewalls-secure-droplets-by-default/
Thanks a lot for sending us feedback and feature requests. Stay tuned for more security related news in the future.
Best regards
Rafael
DNS is on our roadmap.
We're working one large feature first that's going to make it even easier to deploy code, then we're going to start on DNS management through our interface.
The firewall sounds interesting and we're going to add it our backlog and begin discussions on that.
Attachments Open full size
I agree, I've found AWS's "Security Groups" good. A firewall for droplets that lets us apply port-based policies to droplets to allow only certain ports would be useful.
Attachments Open full size
If you implement a control-panel based firewall, I will move all of my hosting to you that very day - I'm so far very impressed by the speed at which you appear to be growing and as well funded as you *appear* to be... you may unseat Linode at this pace :)
Attachments Open full size
Thanks for the kind words guys, if there are particular features and/or functionality that you are looking for in terms of Firewall please let us know as it will help us develop our product roadmap.
Thanks,
Moisey
DigitalOcean
Attachments Open full size
For firewall: I'd like to see groups for host IPs (both external host groups and internal host groups) which can be used to assign rules to groups instead of directly on host IPs. (For instance, allow FTP from my house and my brother's house to a predefined subgroup of my internal hosts)
so inbound rule flow could be applied like
external host group -> rule (or rule group!) -> internal host group
Groups of rules would be cool (allow ssh, ftp, etc. all at once) but probably not necessary right off the bat.
And don't forget IPv6 or the fact that some droplet hosts can have more than one IP on them :)
Attachments Open full size
We've updated this request to just reflect Cloud Firewall because DNS has been launched.
Please up-vote if you are interested in a cloud firewall service through the control panel!
Thanks
Attachments Open full size
Firewall yep!
Attachments Open full size
Installing a control panel based firewall rule generator does not take too much disk space. I think Webmin is easy to use and install on any droplet. Maybe it is also a good way, if D.O. includes it in the default images. But... anyway, if someone has a minimal experience with Linux, it should not mean any problem. BTW, Webmin also has a large set of tools, which can help sysadmins.
Attachments Open full size
Not only a basic firewall but also a security wall against sql ingection, xss... (maybe I'm thinking too big...)
Attachments Open full size
SQL injection and XSS attacks are done on sites based on the code quality (or lack thereof) of the site alone. There's no way they could make some magical protection layer for that.
That being said, a firewall offering prior to data hitting our droplets would be nice. It isn't exactly necessary, but I definitely wouldn't mind seeing it.
Attachments Open full size
Managed firewall is a bit tricky and needs to be discussed further because Linux provides great firewall management tools out of the box.
If you want something more complex like SQL injection protection that really isn't a traditional firewall.
Attachments Open full size
It might make the most sense to create a "firewall image"... maybe something like pfSense... and then roll it out after implementing VLANing and internal IP addresses. It could run comfortably on a small VM and would allow a person to use it between their other VPSs and the rest of the internet.
Attachments Open full size
I'd like to see something like Amazon's security groups if possible.
Attachments Open full size
Please provide us a firewall and a DDoS protection. My droplet is under attack and is generating a traffic about 500 kbps.
We need this traffic droped before the droplet. Iptables isn't the best option :(
Attachments Open full size
My vote is for something approximating security groups!
Attachments Open full size
Security groups would be great
Attachments Open full size
I question your judgement regarding DNS being on your roadmap prioritized before firewall / security groups and internal networking and routing among servers. DNS is available everywhere and is trivial to implement. Having a good firewall and secure, isolated mechanism for networking servers internally is prerequisite for any installation. This was actually a deal-breaker for me and I will continue using Amazon for the time being. I will keep my eye out as you provide an excellent value proposition.
Good luck!
Attachments Open full size
will it help using the CloudFlare and/or its pay service?
Attachments Open full size
Some news about firewall?
Attachments Open full size
Definitely want a separate firewall front-end, like Amazon's Security Groups which gives users an easy front-end to create their own firewall rules to their centrally managed firewalls. Attacks against your server would be intercepted before it got to your Droplet and handled by Digital Ocean experts. IP tables and Windows Firewall is good, but I would never expose a Linux or Windows server directly to the Internet again. I did it once with Linux (years ago) and a hacker was able to exploit and install a root kit. Network security requires layers. Some providers give an option of having a separate Cisco firewall for your cloud instance -- I hate that idea as it is expensive and it does not come with central monitoring.
Attachments Open full size