Docs: expanded firewall notes & moved to Appendices

2024-10-13 13:34:05 +00:00 · 2016-07-06 11:08:39 +02:00 · 2016-07-06 11:08:39 +02:00 · 079c23eb66
commit 079c23eb66
parent 28e9f55e40
4 changed files with 26 additions and 13 deletions
--- a/docs/source/appendices/firewall-notes.md
+++ b/docs/source/appendices/firewall-notes.md
@ -0,0 +1,23 @@
+# Notes on Firewall Setup
+
+When you set up the firewall (or security group on AWS) for a BigchainD node, here is a list of the ports where _unsolicited_ inbound traffic is expected:
+
+22 - The default SSH port (TCP) <br>
+8080 - The default port for the RethinkDB web interface (TCP) <br>
+9984 - The default port for the BigchainDB client-server API (TCP) <br>
+28015 - The default port for RethinkDB client driver connections (TCP) <br>
+29015 - The default port for RethinkDB intracluster connections (TCP)
+
+It you run an NTP daemon (client) on your BigchainDB node (and you should), then it shouldn't allow _all_ incoming UDP traffic on port 123 (the default NTP port). The only time it should allow incoming traffic on port 123 is if the NTP daemon sent a request to an external NTP server, and it's expecting a response from that server (i.e. established or related traffic). If you're using iptables for your firewall, then you should have an iptables rule allowing established, related traffic, something like:
+```text
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+```
+
+Other ports you might need to consider include:
+
+53 - The default DNS port (UDP) <br>
+161 - The default SNMP port (usually UDP, sometimes TCP)
+
+If your node's firewall isn't allowing all outbound traffic, then it must at least allow outbound traffic on the above-mentioned ports (including port 123 for NTP).
+
+Aside: If you set up a [cluster-monitoring server](../clusters-feds/monitoring.html) (running Telegraf, InfluxDB & Grafana), Telegraf will listen on port 8125 for UDP packets from StatsD, and the Grafana web dashboard will use port 3000. (Those are the default ports.)
--- a/docs/source/appendices/index.rst
+++ b/docs/source/appendices/index.rst
@ -11,6 +11,7 @@ Appendices
   cryptography
   the-Bigchain-class
   consensus
+   firewall-notes
   ntp-notes
   example-rethinkdb-storage-setups
   local-rethinkdb-cluster
--- a/docs/source/clusters-feds/future-docs.md
+++ b/docs/source/clusters-feds/future-docs.md
@ -6,8 +6,6 @@
 * Logging
 * Node monitoring & crash recovery
 * Node Security
-    * Securing your OS
-    * Firewalls and security groups. Remember to open port 123 for NTP.
    * (Private) key management
    * RethinkDB security
 * Cluster monitoring
--- a/docs/source/nodes/setup-run-node.md
+++ b/docs/source/nodes/setup-run-node.md
@ -12,16 +12,7 @@ The first step is to get a server (or equivalent) which meets [the requirements

 The steps that you must take to secure your server depend on your server OS and where your server is physically located. There are many articles and books about how to secure a server. Here we just cover special considerations when securing a BigchainDB node.

-When you set up the firewall, here is a list of the ports where inbound traffic is expected:
-
-22 - The default SSH port (TCP) <br>
-123 - The default NTP port (**UDP**) <br>
-8080 - The default port for the RethinkDB web interface (TCP) <br>
-9984 - The default port for the BigchainDB client-server API (TCP) <br>
-28015 - The default port for RethinkDB client driver connections (TCP) <br>
-29015 - The default port for RethinkDB intracluster connections (TCP)
-
-Aside: If you set up a [cluster-monitoring server](../clusters-feds/monitoring.html) (running Telegraf, InfluxDB & Grafana), Telegraf will listen on port 8125 for UDP packets from StatsD, and the Grafana web dashboard will use port 3000. (Those are the default ports.)
+There are some [notes on BigchainDB-specific firewall setup](../appendices/firewall-notes.html) in the Appendices.


 ## Sync Your System Clock
@ -30,7 +21,7 @@ A BigchainDB node uses its system clock to generate timestamps for blocks and vo

 NTP is a standard protocol. There are many NTP daemons implementing it. We don't recommend a particular one. On the contrary, we recommend that different nodes in a federation run different NTP daemons, so that a problem with one daemon won't affect all nodes.

-Please see the [notes on NTP daemon setup in the Appendices](../appendices/ntp-notes.html).
+Please see the [notes on NTP daemon setup](../appendices/ntp-notes.html) in the Appendices.


 ## Set Up Storage for RethinkDB Data