Linode cloud firewall: Do you need it to protect the Linux server?


Linode is an original cloud platform and founded before AWS. Back then, we used to call them VPS (Virtual Private Server). Recently they added a new firewall feature to control network access to my Linode server from the Cloud. Let us test drive Linode cloud firewall.

What is a Linode cloud firewall?

A firewall is nothing but simple rules that filters out malicious traffic reaching your Linux server or network. We use a firewall to block and allows network traffic as per our needs. For example, I can allow the only specific IP address to log in over SSH. Of course, you need to enable and install such a firewall per the Linux server. A cloud firewall does the same job at a network level. So traffic can reach or denied. We can control packets flow easily. We can set up inbound and outbound rules for the server.

But don’t we have iptables, ufw, firewalld for the Linux server?

Many developers, news Linux sysadmin, and users find iptables syntax difficult. Many end up setting up the wrong firewall policies and giving them a fake illusion and sense of security. Hence, one can use a cloud firewall to protect the server. We also call it Firewall-as-a-Service (FWaaS), and we are outsourcing the filtering IP packets job to the Linode firewall. Of course, we can combine both cloud firewall and iptables. In some cases, you are still going to need iptables. For instance, Linux containers and Docker-based app need NAT rules to redirect traffic to correct containers.

Test driving Linode cloud firewall

Adding a Linode firewall is simple. I logged into my Linode manager and chose Firewalls from the left menu. Click on the “Add a firewall.” We can use the CLI option too:

Adding a new Linode firewall to protect my Alpine Linux box

The Linode firewall set up sensible inbound rules which allow DNS and SSH traffic by default. There is no outbound rule set up, and all traffic from my Linux server is allowed by default:

Default Inbound/Outboud Firewall rule

Since I will host a website, I need to open TCP 443 (HTTPS) and 80 (HTTP) ports. You can open any ports and control access to a specific IP address or allow everyone to use the website:

Opening HTTP and HTTPS ports

Let us restrict SSH traffic to OpenVPN or Wireguard CIDR 10.8.1.0/24 or a public IP address such as 1.2.3.4:

By default, ping-pong requests are blocked. Let us be a good netizen and allow ICMP using custom rule:

Allow incoming ping request

Linode outbound rules limit the outgoing network connections from a Linode service based on the port(s) and destinations we configure. By default, all outgoing requests from the server allowed, but I decided to tighten up the IP security policy. In the end here is how it looked:

However, I missed two features:

  1. Rate limitation for SSH or any other port. For instance, deny connections from an IP address that has attempted to initiate six or more connections in the last 30 seconds. That feature would be neat.
  2. I would also like to see a custom remark text box for custom rules. Say I need to find out what does UDP/1194 inbound rule is set up.

I hope they add these two tiny features, and it will make the product even better.

How to validate IP policy set by Linode cloud firewall

Use the nmap command from your Linux or macOS/BSD desktop:
sudo nmap your-linode-ip-here
Sample outputs:

Nmap scan report for li2xyz-abc.members.linode.com (172.10z.xxx.yyy)
Host is up (0.016s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https

Summing up

Overall I found the user interface easy to use and perfect for new Linux developers or sysadmins. Outsourced cloud firewall takes out the guesswork of setting up valid IP policy. I always preferred to close all windows and open the required TCP/UDP ports IP policy approach. Security is like an onion to me. You need different layers to protect your websites or apps. Hence, apart from the Linode cloud firewall, we need to install WAF (web application firewall) like ModSecurity for Nginx or Apache. For DoS/DDoS attacks and bot control, you need a distributed cloud firewall provided by Cloudflare, Fastly, AWS and others. Don’t forget to check out Linode firewall documentation as it gives more information.

Disclaimer: Linode is a nixCraft corporate sponsor since 2017. I write this review as a happy user, and I recommend them to all my clients and blog visitors.


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 0 comments... add one

CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @ webmaster@cyberciti.biz