[eric4smith]

OVH Hardware, support and pricing is GREAT! Buuuuutttttt...

Their firewall situation is not. Guess what, if you use the supplied firewall, any server from any other customer in the local NOC that your server is in, can connect to your server. They seem to be all "safely" behind the OVH firewall product.

You have to protect each server individually with its own in-machine firewall.

I don't want to automatically trust all other OVH customers.

At first I thought I was doing something wrong (more than a decade of setting up firewalls). But I did put in a support ticket and they confirmed this.

Maybe I'm wrong, maybe something I did not understand, but damn... If I'm not.... :-(

[Avamander]

> You have to protect each server individually with its own in-machine firewall.

That's the standard practice?

OVH's own firewall is for DDoS/DoS protection, not for fine-grained security, did I understand OVH's information incorrectly?

[justinclift]

Ouch. That probably means there's a metric shit tonne of VMs running Docker with open ports in their data centres.

Saying that because (by default) Docker screws with firewall rules on the VM when it starts up, to allow other hosts to communicate with the containers.

In other hosting environments, the workaround is to apply firewall rules to your VMs using the hosting infrastructure capabilities. eg separate to the iptables (etc) rules on each host

[dylz]

Yes. There are two different products: VAC, which is for DDoS protection, and general SDN firewall/security groups which is only OVHcloud (not dedicated servers).

In the most general case, it seems other customers can actually send DDoS/volumetric traffic toward you from within OVH and it doesn't get picked up.

[jaywalk]

That's not really even a firewall issue, just a very poorly configured network. Pretty shameful for a provider of their size.

[KingOfCoders]

Because I was thinking about OVHCloud, they dont have an VPN with private IPs? And load balancers like AWS/Digital Ocean?

[drchiu]

Can this be mitigated by using something like ufw and restricting the IP access?

[dawnerd]

Unless you use docker, then it doesn't really matter. Really have to make sure your docker containers are not exposing ports they shouldnt be.

[tdeck]

Is there a good tutorial you can recommend on how to audit this?

[dawnerd]

No, but I would start with a `docker ps` and see what ports it's forwarding.

[brian_herman__]

That is what the OP said to do in his post.