Scalable compute services.
Simple object storage.
Run managed Kubernetes clusters.
Tools & Integrations
Automate your infrastructure.
Deploy pre-built applications.
Connect, share and learn
DevOps and development guides
Questions & Answers
Development and systems Q&A
by Justin Ellingwood
Would be nice to have support for IPSec-ESP (50) and IPSec-AH (51) protocols in DigitalOcean Firewall.
Currently I have to use iptables since DO FW is limited to TCP, UDP and ICMP
This is a great feature and is a good addition to this website.
Hi I welcome to be here
We would very much welcome this feature. We would like to connect one of our Digital Ocean droplets to another external datacenter that we operate fully ourselves, over IPSEC point-to-point (we use Strongswan for this). Currently, this is only possible if we turn off the DigitalOcean Firewall, but this means we have to rely on UFW instead. UFW is good, but for example it allows ICMP traffic from anywhere by default, and there are some other quirks as well. We would feel much more secure with being able to have DigitalOcean Firewall that can allos IPSEC traffic (i.e. ESP packets to pass through). This should be an easy fix from DigitalOcean, and it feels very unmodern to not support this. DigitalOcean, can you PLEASE implement this, giving better security for all?
Digital Ocean really doesn't understand what these protocols are (https://www.digitalocean.com/community/questions/does-do-firewall-support-ip-protocol-50-esp) or why someone would want to use them.
Specifically; people that run Docker Swarm on Digital Ocean servers, who also use the Digital Ocean Cloud Firewall. The DO Cloud Firewall does not allow people to configure allow/deny rules for Protocol 50 or Protocol 51 (not ports). This is important because Docker Swarm can be run on multiple servers and the Swarm Network stack uses IPSEC tunnels on the back-end to power the mesh-network. If I want to use more than one DO server in my Docker Swarm; I need to add firewall rules for these protocols. Since the DO firewall does not support these protocols; the other option here is to expose all of my servers nakedly to the internet and rely upon iptables / UFW to do the heavy lifting and thwart a massive amount of malicious internet traffic (while being able to allow Protocol 50/51).
I would much prefer to use multiple DO servers in my Docker Swarm and have them all protected by the DO Cloud Firewall. The tradeoff of staying on a single server inside DO vs. exposing my boxes to the raw internet right now is much in favor of security... which means: Hey Digital Ocean! I'm stuck on one box in your datacenter until you allow me to add ESP Protocol 50 & 51 rules to your Cloud Firewall.
Is there a update on this .or a ETA
You won't be notified about changes to this idea.