From bbeef84eecc60520cf2d0c470a795fd7be915949 Mon Sep 17 00:00:00 2001
From: troymc <troy@ascribe.io>
Date: Tue, 5 Jul 2016 15:41:18 +0200
Subject: [PATCH 1/5] Docs: list ports to help with firewall setup

---
 .../example-rethinkdb-storage-setups.md         |  2 +-
 docs/source/nodes/setup-run-node.md             | 17 +++++++++++------
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/docs/source/appendices/example-rethinkdb-storage-setups.md b/docs/source/appendices/example-rethinkdb-storage-setups.md
index eb9ef372..6194d628 100755
--- a/docs/source/appendices/example-rethinkdb-storage-setups.md
+++ b/docs/source/appendices/example-rethinkdb-storage-setups.md
@@ -4,7 +4,7 @@
 
 Many [AWS EC2 instance types](https://aws.amazon.com/ec2/instance-types/) comes with an [instance store](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html): temporary storage that disappears when the instance disappears. The size and setup of an instance store depends on the EC2 instance type.
 
-We have some scripts for [deploying a _test_ BigchainDB cluster on AWS](../clusters-feds/deploy-on-aws.html). Those scripts include commands to set up a partition (`/dev/xvdb`) on an [instance store](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html) for RethinkDB data. Those commands can be found in the file `/deploy-cluster-aws/fabfile.py`, under `def install_rethinkdb()` (i.e. the Fabric function to install RethinkDB).
+We have some scripts for [deploying a _test_ BigchainDB cluster on AWS](../clusters-feds/deploy-on-aws.html). Those scripts include commands to set up a partition (`/dev/xvdb`) on an instance store for RethinkDB data. Those commands can be found in the file `/deploy-cluster-aws/fabfile.py`, under `def install_rethinkdb()` (i.e. the Fabric function to install RethinkDB).
 
 An AWS instance store is convenient, but it's intended for "buffers, caches, scratch data, and other temporary content." Moreover:
 
diff --git a/docs/source/nodes/setup-run-node.md b/docs/source/nodes/setup-run-node.md
index 87e3bf92..ec929270 100755
--- a/docs/source/nodes/setup-run-node.md
+++ b/docs/source/nodes/setup-run-node.md
@@ -10,13 +10,18 @@ The first step is to get a server (or equivalent) which meets [the requirements
 
 ## Secure Your Server
 
-The steps that you must take to secure your server depend on your server OS and where your server is physically located. There are many articles and books about how to secure a server. Ask a search engine.
+The steps that you must take to secure your server depend on your server OS and where your server is physically located. There are many articles and books about how to secure a server. Here we just cover special considerations when securing a BigchainDB node.
 
-Here we just cover special considerations when securing a BigchainDB node.
+When you set up the firewall, here is a list of the ports where inbound traffic is expected:
 
-TODO: Special security considerations for BigchainDB nodes.
+22 - The default SSH port (TCP) <br>
+123 - The default NTP port (**UDP**) <br>
+8080 - The default port for the RethinkDB web interface (TCP) <br>
+9984 - The default port for the BigchainDB client-server API (TCP) <br>
+28015 - The default port for RethinkDB client driver connections (TCP) <br>
+29015 - The default port for RethinkDB intracluster connections
 
-TODO: Notes about firewall setup. What ports should be open, for what kinds of traffic, accepting connections from what IP addresses, etc. For example, NTP uses port 123. Can firewall setup be done now or does it have to happen later?
+Aside: If you set up a [cluster-monitoring server](../clusters-feds/monitoring.html) (running Telegraf, InfluxDB & Grafana), Telegraf will listen on port 8125 for UDP packets from StatsD, and the Grafana web dashboard will use port 3000. (Those are the default ports.)
 
 
 ## Sync Your System Clock
@@ -30,7 +35,7 @@ Please see the [notes on NTP daemon setup in the Appendices](../appendices/ntp-n
 
 ## Set Up Storage for RethinkDB Data
 
-Below are some things to consider when setting up storage for the RethinkDB data. The appendices have a [section with concrete examples](../appendices/example-rethinkdb-storage-setups.html).
+Below are some things to consider when setting up storage for the RethinkDB data. The Appendices have a [section with concrete examples](../appendices/example-rethinkdb-storage-setups.html).
 
 We suggest you set up a separate storage "device" (partition, RAID array, or logical volume) to store the RethinkDB data. Here are some questions to ask:
 
@@ -86,7 +91,7 @@ join=node2_hostname:29015
 
 If you're curious about the RethinkDB config file, there's [a RethinkDB documentation page about it](https://www.rethinkdb.com/docs/config-file/). The [explanations of the RethinkDB command-line options](https://rethinkdb.com/docs/cli-options/) are another useful reference.
 
-TODO: Explain how to configure the RethinkDB cluster to be more secure.
+TODO: Explain how to configure the RethinkDB cluster to be more secure. For now, see the [RethinkDB documentation on securing your cluster](https://rethinkdb.com/docs/security/).
 
 
 ## Install Python 3.4+

From 28e9f55e40849a42f4791d1ee9ed157c55eab661 Mon Sep 17 00:00:00 2001
From: troymc <troy@ascribe.io>
Date: Tue, 5 Jul 2016 15:57:11 +0200
Subject: [PATCH 2/5] Docs: intracluster comms use TCP

---
 docs/source/nodes/setup-run-node.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/source/nodes/setup-run-node.md b/docs/source/nodes/setup-run-node.md
index ec929270..9966917d 100755
--- a/docs/source/nodes/setup-run-node.md
+++ b/docs/source/nodes/setup-run-node.md
@@ -19,7 +19,7 @@ When you set up the firewall, here is a list of the ports where inbound traffic
 8080 - The default port for the RethinkDB web interface (TCP) <br>
 9984 - The default port for the BigchainDB client-server API (TCP) <br>
 28015 - The default port for RethinkDB client driver connections (TCP) <br>
-29015 - The default port for RethinkDB intracluster connections
+29015 - The default port for RethinkDB intracluster connections (TCP)
 
 Aside: If you set up a [cluster-monitoring server](../clusters-feds/monitoring.html) (running Telegraf, InfluxDB & Grafana), Telegraf will listen on port 8125 for UDP packets from StatsD, and the Grafana web dashboard will use port 3000. (Those are the default ports.)
 

From 079c23eb665e30ddf5d79ff49b827a8b5e7dc5cf Mon Sep 17 00:00:00 2001
From: troymc <troy@ascribe.io>
Date: Wed, 6 Jul 2016 11:08:39 +0200
Subject: [PATCH 3/5] Docs: expanded firewall notes & moved to Appendices

---
 docs/source/appendices/firewall-notes.md | 23 +++++++++++++++++++++++
 docs/source/appendices/index.rst         |  1 +
 docs/source/clusters-feds/future-docs.md |  2 --
 docs/source/nodes/setup-run-node.md      | 13 ++-----------
 4 files changed, 26 insertions(+), 13 deletions(-)
 create mode 100644 docs/source/appendices/firewall-notes.md

diff --git a/docs/source/appendices/firewall-notes.md b/docs/source/appendices/firewall-notes.md
new file mode 100644
index 00000000..1f4fe16c
--- /dev/null
+++ b/docs/source/appendices/firewall-notes.md
@@ -0,0 +1,23 @@
+# Notes on Firewall Setup
+
+When you set up the firewall (or security group on AWS) for a BigchainD node, here is a list of the ports where _unsolicited_ inbound traffic is expected:
+
+22 - The default SSH port (TCP) <br>
+8080 - The default port for the RethinkDB web interface (TCP) <br>
+9984 - The default port for the BigchainDB client-server API (TCP) <br>
+28015 - The default port for RethinkDB client driver connections (TCP) <br>
+29015 - The default port for RethinkDB intracluster connections (TCP)
+
+It you run an NTP daemon (client) on your BigchainDB node (and you should), then it shouldn't allow _all_ incoming UDP traffic on port 123 (the default NTP port). The only time it should allow incoming traffic on port 123 is if the NTP daemon sent a request to an external NTP server, and it's expecting a response from that server (i.e. established or related traffic). If you're using iptables for your firewall, then you should have an iptables rule allowing established, related traffic, something like:
+```text
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+```
+
+Other ports you might need to consider include:
+
+53 - The default DNS port (UDP) <br>
+161 - The default SNMP port (usually UDP, sometimes TCP)
+
+If your node's firewall isn't allowing all outbound traffic, then it must at least allow outbound traffic on the above-mentioned ports (including port 123 for NTP).
+
+Aside: If you set up a [cluster-monitoring server](../clusters-feds/monitoring.html) (running Telegraf, InfluxDB & Grafana), Telegraf will listen on port 8125 for UDP packets from StatsD, and the Grafana web dashboard will use port 3000. (Those are the default ports.)
\ No newline at end of file
diff --git a/docs/source/appendices/index.rst b/docs/source/appendices/index.rst
index 2bb67221..8a098b68 100755
--- a/docs/source/appendices/index.rst
+++ b/docs/source/appendices/index.rst
@@ -11,6 +11,7 @@ Appendices
    cryptography
    the-Bigchain-class
    consensus
+   firewall-notes
    ntp-notes
    example-rethinkdb-storage-setups
    local-rethinkdb-cluster
diff --git a/docs/source/clusters-feds/future-docs.md b/docs/source/clusters-feds/future-docs.md
index 3c55f8d0..5a8cd985 100644
--- a/docs/source/clusters-feds/future-docs.md
+++ b/docs/source/clusters-feds/future-docs.md
@@ -6,8 +6,6 @@
 * Logging
 * Node monitoring & crash recovery
 * Node Security
-    * Securing your OS
-    * Firewalls and security groups. Remember to open port 123 for NTP.
     * (Private) key management
     * RethinkDB security
 * Cluster monitoring
diff --git a/docs/source/nodes/setup-run-node.md b/docs/source/nodes/setup-run-node.md
index 9966917d..54725dd5 100755
--- a/docs/source/nodes/setup-run-node.md
+++ b/docs/source/nodes/setup-run-node.md
@@ -12,16 +12,7 @@ The first step is to get a server (or equivalent) which meets [the requirements
 
 The steps that you must take to secure your server depend on your server OS and where your server is physically located. There are many articles and books about how to secure a server. Here we just cover special considerations when securing a BigchainDB node.
 
-When you set up the firewall, here is a list of the ports where inbound traffic is expected:
-
-22 - The default SSH port (TCP) <br>
-123 - The default NTP port (**UDP**) <br>
-8080 - The default port for the RethinkDB web interface (TCP) <br>
-9984 - The default port for the BigchainDB client-server API (TCP) <br>
-28015 - The default port for RethinkDB client driver connections (TCP) <br>
-29015 - The default port for RethinkDB intracluster connections (TCP)
-
-Aside: If you set up a [cluster-monitoring server](../clusters-feds/monitoring.html) (running Telegraf, InfluxDB & Grafana), Telegraf will listen on port 8125 for UDP packets from StatsD, and the Grafana web dashboard will use port 3000. (Those are the default ports.)
+There are some [notes on BigchainDB-specific firewall setup](../appendices/firewall-notes.html) in the Appendices.
 
 
 ## Sync Your System Clock
@@ -30,7 +21,7 @@ A BigchainDB node uses its system clock to generate timestamps for blocks and vo
 
 NTP is a standard protocol. There are many NTP daemons implementing it. We don't recommend a particular one. On the contrary, we recommend that different nodes in a federation run different NTP daemons, so that a problem with one daemon won't affect all nodes.
 
-Please see the [notes on NTP daemon setup in the Appendices](../appendices/ntp-notes.html).
+Please see the [notes on NTP daemon setup](../appendices/ntp-notes.html) in the Appendices.
 
 
 ## Set Up Storage for RethinkDB Data

From 12e3ed0842d1d5ed0d2ed3375c1995d990204306 Mon Sep 17 00:00:00 2001
From: troymc <troy@ascribe.io>
Date: Thu, 7 Jul 2016 15:41:57 +0200
Subject: [PATCH 4/5] Docs: Expanded firewall setup notes

---
 docs/source/appendices/firewall-notes.md | 53 ++++++++++++++++++++----
 docs/source/nodes/configuration.md       |  4 +-
 2 files changed, 47 insertions(+), 10 deletions(-)

diff --git a/docs/source/appendices/firewall-notes.md b/docs/source/appendices/firewall-notes.md
index 1f4fe16c..e5349deb 100644
--- a/docs/source/appendices/firewall-notes.md
+++ b/docs/source/appendices/firewall-notes.md
@@ -1,23 +1,60 @@
 # Notes on Firewall Setup
 
-When you set up the firewall (or security group on AWS) for a BigchainD node, here is a list of the ports where _unsolicited_ inbound traffic is expected:
+This page summarizes the ports used by BigchainDB and the traffic they should accept or reject, e.g. using a firewall or AWS security group.
 
-22 - The default SSH port (TCP) <br>
-8080 - The default port for the RethinkDB web interface (TCP) <br>
-9984 - The default port for the BigchainDB client-server API (TCP) <br>
-28015 - The default port for RethinkDB client driver connections (TCP) <br>
-29015 - The default port for RethinkDB intracluster connections (TCP)
+
+## Inbound at Port 22
+
+Port 22 is the default SSH port (TCP). It should expect unsolicited inbound traffic from arbitrary IP addresses.
+
+
+## Inbound at Port 123
 
 It you run an NTP daemon (client) on your BigchainDB node (and you should), then it shouldn't allow _all_ incoming UDP traffic on port 123 (the default NTP port). The only time it should allow incoming traffic on port 123 is if the NTP daemon sent a request to an external NTP server, and it's expecting a response from that server (i.e. established or related traffic). If you're using iptables for your firewall, then you should have an iptables rule allowing established, related traffic, something like:
 ```text
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 ```
 
+## Inbound at Port 8080
+
+Port 8080 is the default port used by RethinkDB for its adminstrative web interface (TCP). While you _can_, you shouldn't allow traffic arbitrary external sources. You can still use the RethinkDB web interface by binding it to localhost and then accessing it via a SOCKS proxy or reverse proxy; see "Binding the web interface port" on [the RethinkDB page about securing your cluster](https://rethinkdb.com/docs/security/).
+
+
+## Inbound at Port 9984
+
+Port 9984 is the default port for the BigchainDB client-server API (TCP), which is served by Gunicorn HTTP Server.
+It's _possible_ allow port 9984 to accept inbound traffic from anyone, but we recommend against doing that. Instead, set up a reverse proxy server (e.g. using Nginx) and only allow traffic from there. Information about how to do that can be found [in the Gunicorn documentation](http://docs.gunicorn.org/en/stable/deploy.html). (They call it a proxy.)
+
+If Gunicorn and the reverse proxy are running on the same server, then you'll have to tell Gunicorn to listen on some port other than 9984 (so that the reverse proxy can listen on port 9984). You can do that by setting `server.bind` to 'localhost:PORT' in the [BigchainDB Configuration Settings](../nodes/configuration.html), where PORT is whatever port you chose (e.g. 9983).
+
+You may want to have Gunicorn and the reverse proxy running on different servers, so that both can listen on port 9984. That would also help isolate the effects of a denial-of-service attack.
+
+
+## Inbound at Port 28015
+
+Port 28015 is the default port used by RethinkDB client driver connections (TCP). If your BigchainDB node is just one server, then Port 28015 only needs to listen on localhost, because all the client drivers will be running on localhost. Port 28015 doesn't need to accept inbound traffic from the outside world.
+
+
+## Inbound at Port 29015
+
+Port 29015 is the default port for RethinkDB intracluster connections (TCP). It should only accept incoming traffic from other RethinkDB servers in the cluster (a list of IP addresses that you should be able to find out).
+
+
+## Inbound at Other Ports
+
 Other ports you might need to consider include:
 
 53 - The default DNS port (UDP) <br>
 161 - The default SNMP port (usually UDP, sometimes TCP)
 
-If your node's firewall isn't allowing all outbound traffic, then it must at least allow outbound traffic on the above-mentioned ports (including port 123 for NTP).
+On Linux, you can use commands such as `netstat -tunlp` or `lsof -i` to get a sense of currently open/listening ports and connections, and the associated processes. 
 
-Aside: If you set up a [cluster-monitoring server](../clusters-feds/monitoring.html) (running Telegraf, InfluxDB & Grafana), Telegraf will listen on port 8125 for UDP packets from StatsD, and the Grafana web dashboard will use port 3000. (Those are the default ports.)
\ No newline at end of file
+
+## Outbound Traffic
+
+If your node's firewall isn't allowing all outbound traffic, then it must at least allow outbound traffic on the above-mentioned ports.
+
+
+## Cluster-Monitoring Server
+
+If you set up a [cluster-monitoring server](../clusters-feds/monitoring.html) (running Telegraf, InfluxDB & Grafana), Telegraf will listen on port 8125 for UDP packets from StatsD, and the Grafana web dashboard will use port 3000. (Those are the default ports.)
diff --git a/docs/source/nodes/configuration.md b/docs/source/nodes/configuration.md
index a011b89c..3360f04e 100644
--- a/docs/source/nodes/configuration.md
+++ b/docs/source/nodes/configuration.md
@@ -108,9 +108,9 @@ export BIGCHAINDB_DATABASE_NAME=bigchain
 
 These settings are for the [Gunicorn HTTP server](http://gunicorn.org/), which is used to serve the [HTTP client-server API](../drivers-clients/http-client-server-api.html).
 
-`server.bind` is where to bind the Gunicorn HTTP server socket. It's a string. It can be any valid value for [Gunicorn's bind setting](http://docs.gunicorn.org/en/stable/settings.html#bind). If you want to allow IPv4 connections from anyone, on port 9984, use '0.0.0.0:9984'. `server.workers` is [the number of worker processes](http://docs.gunicorn.org/en/stable/settings.html#workers) for handling requests. If `None` (the default), the value will be (cpu_count * 2 + 1). `server.threads` is [the number of threads-per-worker](http://docs.gunicorn.org/en/stable/settings.html#threads) for handling requests. If `None` (the default), the value will be (cpu_count * 2 + 1).
+`server.bind` is where to bind the Gunicorn HTTP server socket. It's a string. It can be any valid value for [Gunicorn's bind setting](http://docs.gunicorn.org/en/stable/settings.html#bind). If you want to allow IPv4 connections from anyone, on port 9984, use '0.0.0.0:9984'. In a production setting, we recommend you use Gunicorn behind a reverse proxy server. If Gunicorn and the reverse proxy are running on the same machine, then use 'localhost:PORT' where PORT is _not_ 9984 (because the reverse proxy needs to listen on port 9984). Maybe use PORT=9983 in that case because we know 9983 isn't used. If Gunicorn and the reverse proxy are running on different machines, then use 'A.B.C.D:9984' where A.B.C.D is the IP address of the reverse proxy. There's [more information about deploying behind a reverse proxy in the Gunicorn documentation](http://docs.gunicorn.org/en/stable/deploy.html). (They call it a proxy.)
 
-The HTTP server will be able to handle `server.workers` * `server.threads` requests simultaneously.
+`server.workers` is [the number of worker processes](http://docs.gunicorn.org/en/stable/settings.html#workers) for handling requests. If `None` (the default), the value will be (cpu_count * 2 + 1). `server.threads` is [the number of threads-per-worker](http://docs.gunicorn.org/en/stable/settings.html#threads) for handling requests. If `None` (the default), the value will be (cpu_count * 2 + 1). The HTTP server will be able to handle `server.workers` * `server.threads` requests simultaneously.
 
 **Example using environment variables**
 ```text

From a73a294cd73cd6e58ea3bcc201adbdc95af6596b Mon Sep 17 00:00:00 2001
From: troymc <troy@ascribe.io>
Date: Fri, 8 Jul 2016 10:29:41 +0200
Subject: [PATCH 5/5] Docs: Reorganized the firewall setup notes

---
 docs/source/appendices/firewall-notes.md | 70 ++++++++++++++----------
 1 file changed, 41 insertions(+), 29 deletions(-)

diff --git a/docs/source/appendices/firewall-notes.md b/docs/source/appendices/firewall-notes.md
index e5349deb..4f1e780c 100644
--- a/docs/source/appendices/firewall-notes.md
+++ b/docs/source/appendices/firewall-notes.md
@@ -1,60 +1,72 @@
-# Notes on Firewall Setup
+# Notes for Firewall Setup
 
-This page summarizes the ports used by BigchainDB and the traffic they should accept or reject, e.g. using a firewall or AWS security group.
+This is a page of notes on the ports used by BigchainDB nodes and the traffic they should expect, to help with firewall setup (or security group setup on AWS). This page is _not_ a firewall tutorial or step-by-step guide.
 
 
-## Inbound at Port 22
+## Port 22
 
-Port 22 is the default SSH port (TCP). It should expect unsolicited inbound traffic from arbitrary IP addresses.
+Port 22 is the default SSH port (TCP) so you'll at least want to make it possible to SSH in from your remote machine(s).
 
 
-## Inbound at Port 123
+## Port 53
 
-It you run an NTP daemon (client) on your BigchainDB node (and you should), then it shouldn't allow _all_ incoming UDP traffic on port 123 (the default NTP port). The only time it should allow incoming traffic on port 123 is if the NTP daemon sent a request to an external NTP server, and it's expecting a response from that server (i.e. established or related traffic). If you're using iptables for your firewall, then you should have an iptables rule allowing established, related traffic, something like:
-```text
-iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-```
-
-## Inbound at Port 8080
-
-Port 8080 is the default port used by RethinkDB for its adminstrative web interface (TCP). While you _can_, you shouldn't allow traffic arbitrary external sources. You can still use the RethinkDB web interface by binding it to localhost and then accessing it via a SOCKS proxy or reverse proxy; see "Binding the web interface port" on [the RethinkDB page about securing your cluster](https://rethinkdb.com/docs/security/).
+Port 53 is the default DNS port (UDP). It may be used, for example, by some package managers when look up the IP address associated with certain package sources.
 
 
-## Inbound at Port 9984
+## Port 80
 
-Port 9984 is the default port for the BigchainDB client-server API (TCP), which is served by Gunicorn HTTP Server.
-It's _possible_ allow port 9984 to accept inbound traffic from anyone, but we recommend against doing that. Instead, set up a reverse proxy server (e.g. using Nginx) and only allow traffic from there. Information about how to do that can be found [in the Gunicorn documentation](http://docs.gunicorn.org/en/stable/deploy.html). (They call it a proxy.)
+Port 80 is the default HTTP port (TCP). It's used by some package managers to get packages. It's _not_ used by the RethinkDB web interface (see Port 8080 below) or the BigchainDB client-server HTTP API (Port 9984).
+
+
+## Port 123
+
+Port 123 is the default NTP port (UDP). You should be running an NTP daemon on production BigchainDB nodes. NTP daemons must be able to send requests to external NTP servers and accept the respones.
+
+
+## Port 161
+
+Port 161 is the default SNMP port (usually UDP, sometimes TCP). SNMP is used, for example, by some server monitoring systems.
+
+
+## Port 443
+
+Port 443 is the default HTTPS port (TCP). You may need to open it up for outbound requests (and inbound responses) temporarily because some RethinkDB installation instructions use wget over HTTPS to get the RethinkDB GPG key. Package managers might also get some packages using HTTPS.
+
+
+## Port 8125
+
+If you set up a [cluster-monitoring server](../clusters-feds/monitoring.html), then StatsD will send UDP packets to Telegraf (on the monitoring server) via port 8125.
+
+
+## Port 8080
+
+Port 8080 is the default port used by RethinkDB for its adminstrative web (HTTP) interface (TCP). While you _can_, you shouldn't allow traffic arbitrary external sources. You can still use the RethinkDB web interface by binding it to localhost and then accessing it via a SOCKS proxy or reverse proxy; see "Binding the web interface port" on [the RethinkDB page about securing your cluster](https://rethinkdb.com/docs/security/).
+
+
+## Port 9984
+
+Port 9984 is the default port for the BigchainDB client-server HTTP API (TCP), which is served by Gunicorn HTTP Server. It's _possible_ allow port 9984 to accept inbound traffic from anyone, but we recommend against doing that. Instead, set up a reverse proxy server (e.g. using Nginx) and only allow traffic from there. Information about how to do that can be found [in the Gunicorn documentation](http://docs.gunicorn.org/en/stable/deploy.html). (They call it a proxy.)
 
 If Gunicorn and the reverse proxy are running on the same server, then you'll have to tell Gunicorn to listen on some port other than 9984 (so that the reverse proxy can listen on port 9984). You can do that by setting `server.bind` to 'localhost:PORT' in the [BigchainDB Configuration Settings](../nodes/configuration.html), where PORT is whatever port you chose (e.g. 9983).
 
 You may want to have Gunicorn and the reverse proxy running on different servers, so that both can listen on port 9984. That would also help isolate the effects of a denial-of-service attack.
 
 
-## Inbound at Port 28015
+## Port 28015
 
 Port 28015 is the default port used by RethinkDB client driver connections (TCP). If your BigchainDB node is just one server, then Port 28015 only needs to listen on localhost, because all the client drivers will be running on localhost. Port 28015 doesn't need to accept inbound traffic from the outside world.
 
 
-## Inbound at Port 29015
+## Port 29015
 
 Port 29015 is the default port for RethinkDB intracluster connections (TCP). It should only accept incoming traffic from other RethinkDB servers in the cluster (a list of IP addresses that you should be able to find out).
 
 
-## Inbound at Other Ports
-
-Other ports you might need to consider include:
-
-53 - The default DNS port (UDP) <br>
-161 - The default SNMP port (usually UDP, sometimes TCP)
+## Other Ports
 
 On Linux, you can use commands such as `netstat -tunlp` or `lsof -i` to get a sense of currently open/listening ports and connections, and the associated processes. 
 
 
-## Outbound Traffic
-
-If your node's firewall isn't allowing all outbound traffic, then it must at least allow outbound traffic on the above-mentioned ports.
-
-
 ## Cluster-Monitoring Server
 
 If you set up a [cluster-monitoring server](../clusters-feds/monitoring.html) (running Telegraf, InfluxDB & Grafana), Telegraf will listen on port 8125 for UDP packets from StatsD, and the Grafana web dashboard will use port 3000. (Those are the default ports.)