VPS and Firewalls


#1

Hi. I’m reaching the point where I’m close to deploying some services on a VPS, and wanted to run through my usual port blocking security regime. But I’m getting conflicting info from DH about what can or can’t be done.

Their docs and chat personnel are simultaneously claiming that:

  1. They don’t block any ports by default
  2. You should install/run a firewall if you want port protection
  3. The normal Debian/Linux firewalls based on iptables won’t work due to the virtualization system
  4. Use .htaccess (Pretty lame suggestion – only relates to httpd, and bangs on the httpd server for every evil packet.)

Can someone please clarify for me what’s actually going on? In particular, both saying “go ahead and install a firewall” and “iptables won’t work” makes no sense at all. But a totally open system is not acceptable.

Thanks.


#2

I wanted to ask the same exact thing, so instead of restating the same question in another thread, i’m reviving this one.

This thread seems to state that lots of firewall options are available, but I cannot see any.


#3

Looks like that part of my answer in that thread was made kind of confusing by an edit to the question — I believe they’d originally been asking about whether they could use “yum install …” to install a firewall. (To which the answer was “no, yum is a Red Hat thing; this is Debian, so you use apt-get or aptitude.”) As far as port blocking goes, though:

We do block access to a couple of ports from outside our network, but for the most part everything is open. This is a good thing: the alternative of blocking some ports would be worse, since it’d mean that there would be certain network services that you couldn’t provide from our servers whether you wanted to or not.

Iptables firewalls, indeed, don’t work under the Linux-VServer virtualization software that we use. Sorry.

As far as port blocking goes, keep in mind that you don’t need to block a port if you never open it in the first place. Most of the ports that are open on a DreamHost VPS by default are services that you’re expected to want to have (e.g, a web server for your site, and SSH and FTP servers for administration). If you’re running additional services that you need to lock down, most servers have an option to bind them to a private IP (127.0.0.1, or your server’s internal 10.x.x.x address) to make them inaccessible from the outside world.


#4

I don’t like iptables. It complicates things. I think the best place to have firewall rules is in the main router.

Well, there might be cases we need to have specific rules on a local machine. But in my work place, we disabled iptables service


#5

well, we dont have access to the main router.

Andrewf, thanks for the quick response. While we can block every service we are running, it would have been much easier to have one central place to block everything. But if it can’t be done it can’t be done.

Someone should fix the wiki though, it is not very easy to understand.