My firewalls are not working correctly

Cloud Firewalls are designed to be intuitive, but the combination of multiple network policies and interaction with software active on Droplets can sometimes lead to unexpected results.

This guide explores strategies to gather information about your network policies and troubleshoot DigitalOcean Cloud Firewall issues. It covers how to:

  • Find your active Firewalls
  • View the comprehensive set of rules applied to a single Droplet
  • Discover host-based firewalls that might be active on Droplet
  • Mitigate or resolve conflicting policies

Finding Firewall Information

The first step in diagnosing problems in your Firewall policy is to understand the which rules are being applied. The control panel contains information about individual Firewalls as well as the combined rule set that applies to each Droplet.

Displaying Information About All Firewalls

To view all of your Firewalls in the DigitalOcean Control Panel, click on the Networking item in the main navigation pane and then select the Firewalls sub-item. The Firewall index page lists basic information about each of your Firewalls like the number of Droplets it applies to, the number of rules it contains, and when it was created:

Main Firewalls page

Clicking the name of a Firewall takes you to the Firewall detail page where you can see the policy’s individual rules and the Droplets it targets. This is also where you can add and remove Droplets and tags.

Droplet in a Firewall with more menu open

Reviewing the rules applied by each of your Firewalls can provide an overview of the types of network policy being enforced on your infrastructure as a whole.

Displaying the Firewall Policy Affecting an Individual Droplet

The Firewall index and detail pages are not the best place to look if you are interested in the policy affecting an individual Droplet. Instead, check the Droplet’s detail page.

From the Droplets item in the main control panel navigation menu, click the Droplet’s name. From there, click Networking in the Droplet menu. Towards the bottom of the page, a section called Firewalls lists the Firewalls that target the Droplet. Below, the policies from each of the Droplet’s Firewalls are combined into a comprehensive table:

Firewall combined ruleset

These inbound and outbound rules represent all of the traffic allowed through the Firewall for the Droplet. If you are experiencing issues with connectivity to your Droplet after applying a Firewall policy, this is a good place to look.

Displaying Host-Based Firewall Rules Active on Droplets

While the DigitalOcean Cloud Firewall service provides a network-based firewall solution, many administrators may also have a host-based firewall on the Droplet itself. Popular host-based firewalls include IPTables, UFW, and firewalld. When troubleshooting connectivity issues, check these services because they may also be filtering traffic on the Droplet level.

Finding the UFW Firewall Settings

If your server runs a UFW firewall, you can view the current filtering rules by typing:

sudo ufw status verbose
    
        
            
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         

        
    
Configure your firewall to allow outgoing traffic through ports 80 and 443.
Problems with SSH connectivity include hostname resolution errors and connections being refused or timing out.
Our DNS recursive servers now require Authoritative Answer flags when resolving host names.