Security issues, u must activate the fw and open only desired ports… be carefull when u will activate , before to activate add a rule for ssh port otherwise u will cut the connection
Check if u added the Producer IP+port in the topology updater script from relay
Also check the FW on Producer… check if the port is opened to accept incoming connections from ur relay
I think it may be related to an inbound firewall since your BP has an outgoing connecting to your Relay so I think your topology is correct.
An inactive UFW means your firewall is disabled. Does your machine have another firewall? You need to have the BP node allow inbound ports from specifically the Relay node.
i.e., on AWS i have inbound open to tcp port 6000 for [relay-ip-address] and on my BP Node I have ufw rule tcp port 6000 to [relay-ip-address]
My machine running on aws, I assume they have firewall, I will check the inbound rule again, however how to set ufw rule is what I am not familiar with , which script should I set it at? I have following the coincashew , that’s all the script I have. Please advice how should I set the firewall ?
I checked the updater script, it has the BP ip and port . I am not sure how to check below?
“Also check the FW on Producer… check if the port is opened to accept incoming connections”
I followed @ADAfrog on how to set mines
on relay nodes (not necessary since we have AWS firewall but a precaution on the server):
ufw default deny incoming
ufw default allow outgoing
ufw limit proto tcp from any to any port [custom ssh port]
ufw allow [relay port]/tcpon block producer (bp) node:
ufw default deny incoming
ufw default allow outgoing
ufw limit proto tcp from any to any port [custom ssh port]
sudo ufw allow from [relay 1 ip] to any port [bp node port] proto tcp
sudo ufw allow from [relay 2 ip] to any port [bp node port] proto tcp
sudo ufw allow from [relay 3 ip] to any port [bp node port] proto tcp
Depending how you have your VPC set up in AWS. Are you running the BP in a private subnet and Relays in a public subnet?
I have two separate security groups in my setup. One for my BP and one for my Relays.
Example:
BP -
Inbound connections:
Custom TCP - [SSH Port] - [My IP Address]/32
Custom TCP - [Relay Port (i.e., 6000)] - CIDR [Relay IP Address]/32
Relays -
Inbound connections:
Custom TCP - [SSH Port] - [My IP Address]/32
Custom TCP - [Relay Port (i.e., 6000)] - CIDR 0.0.0.0/0
I have amazon port open 6000 to relay, however , I don’t know how to do the ufw, is it at certain script or if it is at command line, what should be the proper command, current sudo ufw status show as inactive
To check the port/connectivity try:
-
from producer
telnet Relay_IP Relay_port -
from relay
telnet Producer_IP Producer_port
Should see connected, if not check the port
Thanks a lot for the detail instruction. I follow you lower section of AWS setting,
I wonder do I need to reboot ubuntu of both BP and Relay?
“ufw limit proto tcp from any to any port [custom ssh port]” , should I fill in 22 as custom ssh port?
For your node, SSH and run ADAFrog’s command below (make sure to your IP and Ports are correct)
On Relay Nodes
ufw default deny incoming
ufw default allow outgoing
ufw limit proto tcp from any to any port [custom ssh port]
ufw allow [relay port]/tcp
On block producer (bp) node:
ufw default deny incoming
ufw default allow outgoing
ufw limit proto tcp from any to any port [custom ssh port]
sudo ufw allow from [relay 1 ip] to any port [bp node port] proto tcp
sudo ufw allow from [relay 2 ip] to any port [bp node port] proto tcp
sudo ufw allow from [relay 3 ip] to any port [bp node port] proto tcp
Once you are done you can enable it
sudo ufw enable
IMPORTANT: PLEASE MAKE SURE THAT THE CORRECT SSH PORT IS OPEN BEFORE YOU ENABLE. If not, you will be locked out of your EC2 instance.
On Amazon, can you provide a screenshot of your security group settings for BP node and Relay node (maybe details of your VPC too)? Please hide your IP, just the settings is fine.
1 Like
What is your SSH port? If you don’t fill a -p switch when connecting then it is most likely port 22. I.e.,
ssh user@123.45.67.89
versus, not a default port
ssh user@123.45.67.89 -p 6969
on BP
telnet 3.142.247.56 6000
Trying 3.142.247.56…
Connected to 3.142.247.56.
Escape character is ‘^]’.
on Relay it seems not connected, it say trying …
where can I check if the port open properly? is it through the ufw or aws firewall or the mainnet-topology.json or updater.sh?
the updater.sh is no customer ip require
I use the ssh without -p, I believe it should be 22, this port is fine, however should I do reboot ubuntu? last time it seems I don’t need to reboot ubuntu, the AWS inbound rule change take effect. Now I check with the telnet as Alex suggested seems from relay to BP seems not working
Type on ur producer sudo ufw status
is it active?
No, both BP and relay sudo ufw status are inactive
AWS Security Groups –
For the Relay Security Group:
You can remove the BP port. You want keep port 6000 on the relay open for inbound so others nodes can pull the blocks (I think this is right, that’s what I have for mines):
On your BP Security Group:
If your relay node IP is x.x.x.x and port 6000, then this looks correct. Does your block producer node have access to the internet or is it sitting on a private subnet?
1 Like
How do I know if it is a private subnet? both BP and relay I use same instance configuration.
I just restart both node and the ufw status still show as inactive. I have not enable ufw , is below command okay ? so that I won’t lost connection to server
On relay:
sudo ufw limit proto tcp from any to any port 22
sudo ufw allow 3.142.247.56 6000 proto tcp
On BP:
sudo ufw limit proto tcp from any to any port 22
sudo ufw allow from 3.142.247.56 6000 to any port 18.221.48.241 6000 proto tcp
Yes, the rules are correct… add the rules first, check with sudo ufw status and after activate the FW with sudo ufw enable command
If you selected the default VPC when creating your EC2 instances you probably have it all sitting on a public subnet.
@Alexd1985, for relay, isn’t it supposed to be sudo ufw allow 6000/tcp for all inbound? Just double-checking because that’s what I have on mines.
that’s correct!
sudo ufw allow proto tcp from any to any port 6000