From 94e006125e3828a9129c9fd00312dfa5801b5781 Mon Sep 17 00:00:00 2001
From: troymc <troy@ascribe.io>
Date: Tue, 6 Sep 2016 12:06:33 +0200
Subject: [PATCH] docs: listed all ports expecting unsolicited inbound traffic

---
 docs/source/appendices/firewall-notes.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/docs/source/appendices/firewall-notes.md b/docs/source/appendices/firewall-notes.md
index dca89ac6..bad09b05 100644
--- a/docs/source/appendices/firewall-notes.md
+++ b/docs/source/appendices/firewall-notes.md
@@ -1,6 +1,17 @@
 # Notes for Firewall Setup
 
-This is a page of notes on the ports used by BigchainDB nodes and the traffic they should expect, to help with firewall setup (or security group setup on AWS). This page is _not_ a firewall tutorial or step-by-step guide.
+This is a page of notes on the ports potentially used by BigchainDB nodes and the traffic they should expect, to help with firewall setup (and security group setup on AWS). This page is _not_ a firewall tutorial or step-by-step guide.
+
+
+## Expected Unsolicited Inbound Traffic
+
+Assuming you aren't exposing the RethinkDB web interface on port 8080 (or any other port, because [there are more secure ways to access it](https://www.rethinkdb.com/docs/security/#binding-the-web-interface-port)), there are only three ports that should expect unsolicited inbound traffic:
+
+1. **Port 22** can expect inbound SSH (TCP) traffic from the node administrator (i.e. a small set of IP addresses).
+2. **Port 9984** can expect inbound HTTP (TCP) traffic from BigchainDB clients sending transactions to the BigchainDB HTTP API.
+3. **Port 29015** can expect inbound TCP traffic from other RethinkDB nodes in the RethinkDB cluster (for RethinkDB intracluster communications).
+
+All other ports should only get inbound traffic in response to specific requests from inside the node.
 
 
 ## Port 22