Digital Ocean now has Firewalls at the Network Layer – This is Important

Digital Ocean droplet I received a notice from Digital Ocean this morning about their new firewalls. You can read their blog post: Cloud Firewalls: Secure Droplets by Default

This is important. Before this, I had to install firewalls at the virtual server level. Firewalls can still be used at the virtual server level to augment the network layer, but they’re not required.

The key here is “secure by default”. Once I enable a firewall, only one incoming rule exists and it’s SSH. I have to enter the rest of the desired incoming ports one at a time.

Digital Ocean is Making Things Easier for me

Okay, so some other big name web hosting providers have firewalls at the network layer. I never used the one at Media Temple, when I used them to host my websites. Their control panel functions were confusing and I could never get the firewall rules entered correctly. To be fair, that was probably caused more by my flaky Internet connection at the time than anything else.

The settings for my droplet at Digital Ocean look nothing like a traditional control panel and that’s a good thing.

It took me less than five minutes to set up the firewall at Digital Ocean. I copied the port numbers from my firewall, entered them there and then clicked on the button to enable it.


Back in 2013, I wrote about installing Webmin and ConfigServer Security & Firewall. I may or may not remove CSF. Having a secondary firewall isn’t going to hurt anything. I can get by without Webmin as a control panel, but only if I remove CSF.

I hardened my droplet sometime before I wrote about it in 2016. Then I wrote about blocking port scans in January of this year and then about blocking fewer port scans in April.

Now, I don’t have to worry about port scans at all. The only ports that get past the network layer are the ones I entered into the Digital Ocean firewall. I only have six incoming TCP ports (not counting the FTP passive ports) and only one incoming UDP port. These are for SSH, FTP, the web server and Webmin. Nothing else on my droplet can be reached from the outside world.

June 6, 2017


Previous and Next Articles:

« »

You May Also Like:


Your comment will appear below the form when it's approved. When the page redisplays after hitting the send button (it can take a few seconds), your comment has been sent.

When replying to someone else's comment, please start the comment with "@" and the name so I can put it in the right place.

Subscribe to Articles by Email

RSS Feed Link

Books by William James Asberry

Comments Policy
Privacy Policy

RTCX established February 28, 2011