“addr”: “relays-new.cardano-mainnet.iohk.io”,
“port”: 3001,
“valency”: 2
Is there a UFW rule that can be created for this. It seems it goes out, so it can be blocked in? Is there any specfic rules I can do? Like
sudo ufw allow from relays-new.cardano-mainnet.iohk.io to any 3001
Hello,
If u want to block all incoming traffic other than ur relay then in ur fw u should add only one line
sudo ufw allow proto tcp from Relay_Ip to any port xxx (where xxx is the cnode port)
check ur fw status
sudo ufw status
Can you expain this more? What is FW?
FW - shortcut for firewall?
Okay so I have a normal port setup already like this
sudo ufw allow from x.x.x.x to any port xxx
is proto tcp different? What is proto?
I was trying to figure out if there was a special way to setup ports for relays-new.cardano-mainnet.iohk.io
I’m really sorry but i have to say this quite dirdctly now. If you don’t know what a firewall is you are not a good candidate for running a server. No matter which server.
Please take a look into hardening fundamentals. Please take this serious. Stakepools are the backbone of the Cardano Blockchain.
Key priciples for Stakepool:
No Private Keays on the server.
No SSH access for public (fw rule)
No root access
No password login
Only open Node Port
Producer open for Relay
Relay open for the world.
Run the Node with a service user with limited priviledges
proto - protocol which can be tcp or udp … by default with no proto specified the FW will block both
i know what a firewall is and have used linux for 20+ years. I just didnt know what his FW abbreviation was as that could of been anything.
and my server is very hardened, SSH key, ports limited, fail2ban, iv6 disabled, root disabled, and others.
Alright, glad to hear that 
And sorry for my offense comment!
My question is how do I open the port just for that website “relays-new.cardano-mainet.iohk.io” so I dont have just the port 3001 open anywhere.
Why u want to open it?
all good, and i just added guard duty and planning to add some other tools for hardening. i have a cold environment as well and plan to get a encryped usb stick for transfering files.
the port 3001 is inside of the topology.
“addr”: “relays-new.cardano-mainnet.iohk.io”,
“port”: 3001,
“valency”: 2
}
]
}
U can encript gpg files before transfer them
Yes, but 3001 is for the destination port not for source… so u don’t have to do anything… that part of topology config will be deleted once ur node is synced
so i dont need any port rules for 3001 in or out?
Nope… on producer accept traffic (in) only from ur relay
xxxx ALLOW IN x.x.x.x
should it be this or proto?
Yes,the rule is fine, u will accept tcp and udp traffic
i think my nodes arent syncing now with the UDP/TCP rules. They were working when it said ANYWHERE.
gLive is working, so i dont really know if it is or not, the block producer isnt really doing anything in tmux. looking like just errors.
Im using my private ips for my ports and topology.