Firewall setting question

Hello,

I’ve been following the Coin Cachew instruction and have a question on the firewall setting

On my relay node and the block producing node, I set the rules as follows

6000/tcp ALLOW Anywhere
2244/tcp ALLOW Anywhere

2244 for ssh login and 6000 for my nodes.
and also I deleted (v6) port

Should I open the port 3001 as the port number shown in the topology file?
and v6 port as well?

cat > $NODE_HOME/${NODE_CONFIG}-topology.json << EOF
{
“Producers”: [
{
“addr”: “<BLOCK PRODUCER NODE’S PUBLIC IP ADDRESS>”,
“port”: 6000,
“valency”: 1
},
{
“addr”: “relays-new.cardano-mainnet.iohk.io”,
“port”: 3001,
“valency”: 2
}
]
}
EOF

6000/tcp ALLOW Anywhere
2244/tcp ALLOW Anywhere
2244 for ssh login and 6000 for my nodes.
and also I deleted (v6) port

Relay should accept from any on port 6000
BP should accept connection only from the Relay on port 6000

Should I open the port 3001 as the port number shown in the topology file?
and v6 port as well?

Nope, it’s for out so u don’t need, u are filtering only the incoming traffic

1 Like

Thanks Alex,
If my relay is out syncing how the other nodes know my port number?

For this u will use the topology updater script, to announce the IP + port to the network + u will register the relay to the network, but for the moment wait for the nodes to sync; can take 1-2 days

1 Like

##On your Relays
ufw default deny incoming
ufw default allow outgoing
ufw limit proto tcp from any to any port [ssh port]
#Open port on relays.
ufw allow proto tcp from any to any port [relay node port]

##On your BP
ufw default deny incoming
ufw default allow outgoing
ufw limit proto tcp from any to any port [ssh port]
#Open a port for your public_address. This is the port other nodes will connect to.
sudo ufw allow from [relay 1 ip] to any port [bp node port] proto tcp
sudo ufw allow from [relay 2 ip] to any port [bp node port] proto tcp

2 Likes

Does anyone know if this vital information documented anywhere (such as Setup Firewall | Cardano Developer Portal )?

Hi Iaksma, I also have a few more ufw rules.

By default, deny all incoming and allow outgoing traffic

sudo ufw default deny incoming
sudo ufw default allow outgoing

The second rule allows outgoing traffic so no need to open additional ports as these are outgoing connections.

1 Like