Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

What do you want in a firewall?
New on LowEndTalk? Please Register and read our Community Rules.

What do you want in a firewall?

SplitIceSplitIce Member, Provider
edited March 2020 in General

We have all seen the "Cloud Firewall" products offered with bigger VPS providers (Vultr, DigitalOcean, AWS etc), from my experience these are pretty useless for anything but the most basic applications.

For the past 2 years I've been working on a way to scale custom mitigation and firewall rules (at Layer 3-5) to the scales we operate. It looks like this year we will finally achieve the scalability required to offer it.

What remains to be ascertained is the priority for implementation (at customer level) various match parameters, I want this to be as useful as possible. What would you like to see available for either match parameters, or target types in Layer 4 firewall?

Currently Available:
- Full BPF (cBPF) expression matching (anything you could select with tcpdump)
- IP ban lists
- DROP target
- Evaluate either for new connections, or on every packet

Planned:
- RateLimit (white & black) target
- BAN target
- API support for adding/removing IPs from ban lists (i.e so people can take control on their own servers and have us do the heavy lifting)

Possible:
- IP whitelist
- Paired Ports (accept only where connected to another port)
- DNS match
- TLS match
- String match ( performance :( )

What would you prioritize?

X4B - DDoS Protection: Affordable Anycast DDoS mitigation with PoPs in Europe, Asia, North and South America.
Latest Offer: Brazil Launch 2020 Offer

Comments

  • raindog308raindog308 Administrator, Moderator

    block by country like CSF does.

    I would think IP whitelisting is a pretty basic feature...but then, I've never used a "cloud" firewall.

    For LET support, please visit the support desk.

  • somiksomik Member
    edited March 2020

    I would like it to be able to run without refueling. Hate it when you have to go topup gasoline to keep the fire wall up. But at least it keeps the zombies out.

    Don't be so serious. It's just a forum. No one cares what you think anyway.

  • SplitIceSplitIce Member, Provider

    raindog308 said: block by country like CSF does.

    So poorly? I'm not keen on perpetuating GeoIP db inaccuracy to be honest.

    This is coming from someone who according to Maxmind is located in PNG currently on my home ISP.

    X4B - DDoS Protection: Affordable Anycast DDoS mitigation with PoPs in Europe, Asia, North and South America.
    Latest Offer: Brazil Launch 2020 Offer
Sign In or Register to comment.