Port forwarding, coincashew guide

Betterloop · 11 April 2023 10:35

Port forwarding, I did follow the Coincashew guide and my ufw status looks like this:

Status: active

To Action From

22/tcp ALLOW Anywhere
6000/tcp ALLOW Anywhere
3000/tcp ALLOW Anywhere
9100/tcp ALLOW Anywhere
12798/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
6000/tcp (v6) ALLOW Anywhere (v6)
3000/tcp (v6) ALLOW Anywhere (v6)
9100/tcp (v6) ALLOW Anywhere (v6)
12798/tcp (v6) ALLOW Anywhere (v6)

And i have added rule, port forwarding on my router:
TCP port 6000 & UDP port 6000, on both bp-server & nr-server. Is this correct & should i add any more rule?
I use bare metal servers.

Best regards,

kirael · 11 April 2023 17:16

Hello

UFW

You should not open your cardano node port to “any” on your Block Producer. Your BP should only allow your Relays to connect. Something like that :

6000/tcp ALLOW IN <IP of your RELAY 1>
6000/tcp ALLOW IN <IP of your RELAY 2>

3000 TCP is only used to access Grafana webserver out-of-the-box. You don’t have to open it on every node… Only on Grafana Server… And even on Grafana i would not open it, and use SSH forwarding or a reverse proxy.

You should change your SSH port.

Port forwarding

Regarding port forwarding on your router : do not port-forward 6000 to your BP if your Relays and BP are on the same private LAN. Only your Relays should be reachable from the internet.

Betterloop · 11 April 2023 19:01

Thank you for your excellent reply! I am trying to reverse my mistakes, i cant manage to change the ssh port, i did change the port to a custom port in sshd_config, & i did run the command:

sudo ufw allow ssh #/tcp

but it does not show up when i run the command (sudo ufw status) , now it looks like this:

Status: active

To Action From

22/tcp DENY Anywhere
6000/tcp ALLOW Anywhere
3000/tcp DENY Anywhere
9100/tcp DENY Anywhere
12798/tcp DENY Anywhere
6000/tcp ALLOW 192.168.0.198
22/tcp (v6) DENY Anywhere (v6)
6000/tcp (v6) ALLOW Anywhere (v6)
3000/tcp (v6) DENY Anywhere (v6)
9100/tcp (v6) DENY Anywhere (v6)
12798/tcp (v6) DENY Anywhere (v6)

Also, if i dont need the ssh tunnel to Grafana server, how do i delete the tunnel? What did you mean with (use ssh forwarding or a reverse proxy)?

Best regards,

Topic		Replies	Views
Firewall setting question Setup a Stake Pool	6	665	15 October 2021
Router and Ports Setup a Stake Pool stake-pools	3	575	9 April 2023
Port 3001 (relays-new.cardano-mainnet.iohk.io) mainnet-topology Stake Pool Security	52	2925	23 February 2021
Please help debug port opening issue - home environment Setup a Stake Pool	28	1366	15 April 2021
Port Forwarding, not working? Operate a Stake Pool	8	311	5 April 2023

Port forwarding, coincashew guide

Related topics