Linode cloud firewall: Do you need it to protect the Linux server?

Final firewall policy
Linode is an original cloud platform and founded before AWS. Back then, we used to call them VPS (Virtual Private Server). Recently they added a new firewall feature to control network access to my Linode server from the Cloud. Let us test drive Linode cloud firewall.

What is a Linode cloud firewall?

A firewall is nothing but simple rules that filters out malicious traffic reaching your Linux server or network. We use a firewall to block and allows network traffic as per our needs. For example, I can allow the only specific IP address to log in over SSH. Of course, you need to enable and install such a firewall per the Linux server. A cloud firewall does the same job at a network level. So traffic can reach or denied. We can control packets flow easily. We can set up inbound and outbound rules for the server.

But don’t we have iptables, ufw, firewalld for the Linux server?

Many developers, news Linux sysadmin, and users find iptables syntax difficult. Many end up setting up the wrong firewall policies and giving them a fake illusion and sense of security. Hence, one can use a cloud firewall to protect the server. We also call it Firewall-as-a-Service (FWaaS), and we are outsourcing the filtering IP packets job to the Linode firewall. Of course, we can combine both cloud firewall and iptables. In some cases, you are still going to need iptables. For instance, Linux containers and Docker-based app need NAT rules to redirect traffic to correct containers.

Test driving Linode cloud firewall

Adding a Linode firewall is simple. I logged into my Linode manager and chose Firewalls from the left menu. Click on the “Add a firewall.” We can use the CLI option too:

Linode cloud firewall

Adding a new Linode firewall to protect my Alpine Linux box

The Linode firewall set up sensible inbound rules which allow DNS and SSH traffic by default. There is no outbound rule set up, and all traffic from my Linux server is allowed by default:
Linode Clouid Firewalls Inbound and Outbound Rules

Default Inbound/Outboud Firewall rule

Since I will host a website, I need to open TCP 443 (HTTPS) and 80 (HTTP) ports. You can open any ports and control access to a specific IP address or allow everyone to use the website:
Allow HTTP and HTTPS connection using Linode firewall

Opening HTTP and HTTPS ports

Let us restrict SSH traffic to OpenVPN or Wireguard CIDR or a public IP address such as
SSH Linode firewall rules
By default, ping-pong requests are blocked. Let us be a good netizen and allow ICMP using custom rule:
ping pong icmp

Allow incoming ping request

Linode outbound rules limit the outgoing network connections from a Linode service based on the port(s) and destinations we configure. By default, all outgoing requests from the server allowed, but I decided to tighten up the IP security policy. In the end here is how it looked:
Final firewall policy

However, I missed two features:

  1. Rate limitation for SSH or any other port. For instance, deny connections from an IP address that has attempted to initiate six or more connections in the last 30 seconds. That feature would be neat.
  2. I would also like to see a custom remark text box for custom rules. Say I need to find out what does UDP/1194 inbound rule is set up.

I hope they add these two tiny features, and it will make the product even better.

How to validate IP policy set by Linode cloud firewall

Use the nmap command from your Linux or macOS/BSD desktop:
sudo nmap your-linode-ip-here
Sample outputs:

Nmap scan report for (
Host is up (0.016s latency).
Not shown: 998 filtered ports
80/tcp  closed http
443/tcp closed https

Summing up

Overall I found the user interface easy to use and perfect for new Linux developers or sysadmins. Outsourced cloud firewall takes out the guesswork of setting up valid IP policy. I always preferred to close all windows and open the required TCP/UDP ports IP policy approach. Security is like an onion to me. You need different layers to protect your websites or apps. Hence, apart from the Linode cloud firewall, we need to install WAF (web application firewall) like ModSecurity for Nginx or Apache. For DoS/DDoS attacks and bot control, you need a distributed cloud firewall provided by Cloudflare, Fastly, AWS and others. Don’t forget to check out Linode firewall documentation as it gives more information.

Disclaimer: Linode is a nixCraft corporate sponsor since 2017. I write this review as a happy user, and I recommend them to all my clients and blog visitors.

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

1 comment… add one
  • Charlesmob Mar 10, 2021 @ 18:47

    Hello, what’s new?

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.