Linode is an original cloud platform and founded before AWS. Back then, we used to call them VPS (Virtual Private Server). Recently they added a new firewall feature to control network access to my Linode server from the Cloud. Let us test drive Linode cloud firewall.
What is a Linode cloud firewall?
A firewall is nothing but simple rules that filters out malicious traffic reaching your Linux server or network. We use a firewall to block and allows network traffic as per our needs. For example, I can allow the only specific IP address to log in over SSH. Of course, you need to enable and install such a firewall per the Linux server. A cloud firewall does the same job at a network level. So traffic can reach or denied. We can control packets flow easily. We can set up inbound and outbound rules for the server.
Many developers, news Linux sysadmin, and users find iptables syntax difficult. Many end up setting up the wrong firewall policies and giving them a fake illusion and sense of security. Hence, one can use a cloud firewall to protect the server. We also call it Firewall-as-a-Service (FWaaS), and we are outsourcing the filtering IP packets job to the Linode firewall. Of course, we can combine both cloud firewall and iptables. In some cases, you are still going to need iptables. For instance, Linux containers and Docker-based app need NAT rules to redirect traffic to correct containers.
Test driving Linode cloud firewall
Adding a Linode firewall is simple. I logged into my Linode manager and chose Firewalls from the left menu. Click on the “Add a firewall.” We can use the CLI option too:
The Linode firewall set up sensible inbound rules which allow DNS and SSH traffic by default. There is no outbound rule set up, and all traffic from my Linux server is allowed by default:
Since I will host a website, I need to open TCP 443 (HTTPS) and 80 (HTTP) ports. You can open any ports and control access to a specific IP address or allow everyone to use the website:
Let us restrict SSH traffic to OpenVPN or Wireguard CIDR 10.8.1.0/24 or a public IP address such as 22.214.171.124:
By default, ping-pong requests are blocked. Let us be a good netizen and allow ICMP using custom rule:
Linode outbound rules limit the outgoing network connections from a Linode service based on the port(s) and destinations we configure. By default, all outgoing requests from the server allowed, but I decided to tighten up the IP security policy. In the end here is how it looked:
However, I missed two features:
- Rate limitation for SSH or any other port. For instance, deny connections from an IP address that has attempted to initiate six or more connections in the last 30 seconds. That feature would be neat.
- I would also like to see a custom remark text box for custom rules. Say I need to find out what does UDP/1194 inbound rule is set up.
I hope they add these two tiny features, and it will make the product even better.
How to validate IP policy set by Linode cloud firewall
Use the nmap command from your Linux or macOS/BSD desktop:
sudo nmap your-linode-ip-here
Nmap scan report for li2xyz-abc.members.linode.com (172.10z.xxx.yyy) Host is up (0.016s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp closed http 443/tcp closed https
Overall I found the user interface easy to use and perfect for new Linux developers or sysadmins. Outsourced cloud firewall takes out the guesswork of setting up valid IP policy. I always preferred to close all windows and open the required TCP/UDP ports IP policy approach. Security is like an onion to me. You need different layers to protect your websites or apps. Hence, apart from the Linode cloud firewall, we need to install WAF (web application firewall) like ModSecurity for Nginx or Apache. For DoS/DDoS attacks and bot control, you need a distributed cloud firewall provided by Cloudflare, Fastly, AWS and others. Don’t forget to check out Linode firewall documentation as it gives more information.
Disclaimer: Linode is a nixCraft corporate sponsor since 2017. I write this review as a happy user, and I recommend them to all my clients and blog visitors.