11

I'm just setting up a server and wondering if it's necessary to set the firewall twice. For example I've a security group with the following open ports: 80, 443, 22

Now I setup my server with UFW (frontend for iptables). Do I have to set my ports here again or just set it in the iptables with no security group or both?

Is there a difference or advantages/disadvantages?

Nepo Znat
  • 249
  • 3
  • 8
  • 5
    Having both means more to manage but protects you if you goof one of the two up. Traffic blocked at the AWS level never makes it to your instance, which can be very helpful. – ceejayoz Nov 19 '17 at 15:35
  • 1
    Does Nginx include [UFW](https://help.ubuntu.com/community/UFW)? I thought Nginx just included Nginx. UFW appears to be a front end to iptables. If you set up security groups correctly (and possibly test them) there's no advantage to using both, but as ceejayoz says it provides a second line of protection. I don't bother, personally. – Tim Nov 19 '17 at 18:19
  • Thanks for the answers. Sorry, I meant it's installed on Ubuntu. – Nepo Znat Nov 19 '17 at 20:35

1 Answers1

10

As Tim told in comment, UFW is the frontend to iptables, so you should really compare iptables capabilities with Amazon Security Groups.

For me main SG advantage is integration to AWS infrastructure. It allows you to build entire stack using Amazon CloudFormation, get details about opened/closed ports/addresses via API etc. Disadvantages - it's vendor-locked, meaning you will need to redo everything if you decide to change hosting provider.

First of all, check Amazon VPC limits. If your rules count is within limits and your case doesn't require anything special like NAT implemented by iptables, it's sufficient to use Amazon SG only and leave UFW open. You can check this question as well for more details: Why have both security groups and iptables on Amazon EC2?

Tim
  • 30,383
  • 6
  • 47
  • 77
antrost
  • 473
  • 3
  • 8