Firewall setting question

laksma · 15 September 2021 18:07

Hello,

I’ve been following the Coin Cachew instruction and have a question on the firewall setting

On my relay node and the block producing node, I set the rules as follows

6000/tcp ALLOW Anywhere
2244/tcp ALLOW Anywhere

2244 for ssh login and 6000 for my nodes.
and also I deleted (v6) port

Should I open the port 3001 as the port number shown in the topology file?
and v6 port as well?

cat > $NODE_HOME/${NODE_CONFIG}-topology.json << EOF
{
“Producers”: [
{
“addr”: “<BLOCK PRODUCER NODE’S PUBLIC IP ADDRESS>”,
“port”: 6000,
“valency”: 1
},
{
“addr”: “relays-new.cardano-mainnet.iohk.io”,
“port”: 3001,
“valency”: 2
}
]
}
EOF

Alexd1985 · 15 September 2021 18:12

6000/tcp ALLOW Anywhere
2244/tcp ALLOW Anywhere
2244 for ssh login and 6000 for my nodes.
and also I deleted (v6) port

Relay should accept from any on port 6000
BP should accept connection only from the Relay on port 6000

Should I open the port 3001 as the port number shown in the topology file?
and v6 port as well?

Nope, it’s for out so u don’t need, u are filtering only the incoming traffic

laksma · 15 September 2021 18:16

Thanks Alex,
If my relay is out syncing how the other nodes know my port number?

Alexd1985 · 15 September 2021 18:25

For this u will use the topology updater script, to announce the IP + port to the network + u will register the relay to the network, but for the moment wait for the nodes to sync; can take 1-2 days

ADAMOONPOOL · 15 September 2021 20:47

##On your Relays
ufw default deny incoming
ufw default allow outgoing
ufw limit proto tcp from any to any port [ssh port]
#Open port on relays.
ufw allow proto tcp from any to any port [relay node port]

##On your BP
ufw default deny incoming
ufw default allow outgoing
ufw limit proto tcp from any to any port [ssh port]
#Open a port for your public_address. This is the port other nodes will connect to.
sudo ufw allow from [relay 1 ip] to any port [bp node port] proto tcp
sudo ufw allow from [relay 2 ip] to any port [bp node port] proto tcp

Cadcam · 15 October 2021 03:00

Does anyone know if this vital information documented anywhere (such as Setup Firewall | Cardano Developer Portal )?

dvekris · 15 October 2021 15:29

Hi Iaksma, I also have a few more ufw rules.

By default, deny all incoming and allow outgoing traffic

sudo ufw default deny incoming
sudo ufw default allow outgoing

The second rule allows outgoing traffic so no need to open additional ports as these are outgoing connections.

Topic		Replies	Views
Port 3001 (relays-new.cardano-mainnet.iohk.io) mainnet-topology Stake Pool Security	52	2925	23 February 2021
Port forwarding, coincashew guide Operate a Stake Pool	2	362	11 April 2023
Setup relay node with CNTOOLS (configuration) (topology updater) Setup a Stake Pool	127	2405	26 August 2021
IP for relay node Setup a Stake Pool	5	707	3 March 2021
What Ports need to be Open for Nodes? Stake Delegation stake-pools , stakepool , cardano-node	28	7655	21 January 2023

Firewall setting question

By default, deny all incoming and allow outgoing traffic

Related topics