top | item 27671289

(no title)

onebike | 4 years ago

This (Docker opening a hole in my firewall) is why I moved my dev server from Linode to Digital Ocean. DO provides a “cloud firewall” that provides something akin to AWS security groups and therefore can’t be messed by Docker. Linode doesn’t have anything like that (last time I checked at least).

discuss

bombcar|4 years ago

This is perhaps the best arguments I’ve seen for a separate firewall device even if it’s in the cloud (and just software) - something on your box running as root may bypass your rules just to help you.

eru|4 years ago

Alternatively, running all your services as VMs also helps.

Having root in a VM doesn't typically give you any rights on the hypervisor (at least not on eg Xen).

LinuxBender|4 years ago

They recently added one. In fact I had to move many of my VM's to new hypervisors because the ones that didn't support the cloud firewall were deprecated. I don't even use their cloud firewall.

kyrra|4 years ago

I recently started hosting something on Linode, thanks for calling this feature out. It looks like they started launching Cloud Firewalls back in November. Full rollout was maybe April?

https://www.linode.com/blog/linode/cloud-firewall-beta-open/

qbasic_forever|4 years ago

Make sure to flip on the feature though, it's not on by default last I saw spinning up some droplets a few months ago.