Notes for Firewall Setup¶
This is a page of notes on the ports potentially used by BigchainDB nodes and the traffic they should expect, to help with firewall setup (and security group setup on AWS). This page is not a firewall tutorial or step-by-step guide.
Expected Unsolicited Inbound Traffic¶
Assuming you aren’t exposing the RethinkDB web interface on port 8080 (or any other port, because there are more secure ways to access it), there are only three ports that should expect unsolicited inbound traffic:
- Port 22 can expect inbound SSH (TCP) traffic from the node administrator (i.e. a small set of IP addresses).
- Port 9984 can expect inbound HTTP (TCP) traffic from BigchainDB clients sending transactions to the BigchainDB HTTP API.
- Port 9985 can expect inbount WebSocket traffic from BigchainDB clients.
- If you’re using RethinkDB, Port 29015 can expect inbound TCP traffic from other RethinkDB nodes in the RethinkDB cluster (for RethinkDB intracluster communications).
- If you’re using MongoDB, Port 27017 can expect inbound TCP traffic from other nodes.
All other ports should only get inbound traffic in response to specific requests from inside the node.
Port 22¶
Port 22 is the default SSH port (TCP) so you’ll at least want to make it possible to SSH in from your remote machine(s).
Port 53¶
Port 53 is the default DNS port (UDP). It may be used, for example, by some package managers when look up the IP address associated with certain package sources.
Port 80¶
Port 80 is the default HTTP port (TCP). It’s used by some package managers to get packages. It’s not used by the RethinkDB web interface (see Port 8080 below) or the BigchainDB client-server HTTP API (Port 9984).
Port 123¶
Port 123 is the default NTP port (UDP). You should be running an NTP daemon on production BigchainDB nodes. NTP daemons must be able to send requests to external NTP servers and accept the respones.
Port 161¶
Port 161 is the default SNMP port (usually UDP, sometimes TCP). SNMP is used, for example, by some server monitoring systems.
Port 443¶
Port 443 is the default HTTPS port (TCP). You may need to open it up for outbound requests (and inbound responses) temporarily because some RethinkDB installation instructions use wget over HTTPS to get the RethinkDB GPG key. Package managers might also get some packages using HTTPS.
Port 8080¶
Port 8080 is the default port used by RethinkDB for its adminstrative web (HTTP) interface (TCP). While you can, you shouldn’t allow traffic arbitrary external sources. You can still use the RethinkDB web interface by binding it to localhost and then accessing it via a SOCKS proxy or reverse proxy; see “Binding the web interface port” on the RethinkDB page about securing your cluster.
Port 9984¶
Port 9984 is the default port for the BigchainDB client-server HTTP API (TCP), which is served by Gunicorn HTTP Server. It’s possible allow port 9984 to accept inbound traffic from anyone, but we recommend against doing that. Instead, set up a reverse proxy server (e.g. using Nginx) and only allow traffic from there. Information about how to do that can be found in the Gunicorn documentation. (They call it a proxy.)
If Gunicorn and the reverse proxy are running on the same server, then you’ll have to tell Gunicorn to listen on some port other than 9984 (so that the reverse proxy can listen on port 9984). You can do that by setting server.bind to ‘localhost:PORT’ in the BigchainDB Configuration Settings, where PORT is whatever port you chose (e.g. 9983).
You may want to have Gunicorn and the reverse proxy running on different servers, so that both can listen on port 9984. That would also help isolate the effects of a denial-of-service attack.
Port 9985¶
Port 9985 is the default port for the BigchainDB WebSocket Event Stream API.
Port 28015¶
Port 28015 is the default port used by RethinkDB client driver connections (TCP). If your BigchainDB node is just one server, then Port 28015 only needs to listen on localhost, because all the client drivers will be running on localhost. Port 28015 doesn’t need to accept inbound traffic from the outside world.
Port 29015¶
Port 29015 is the default port for RethinkDB intracluster connections (TCP). It should only accept incoming traffic from other RethinkDB servers in the cluster (a list of IP addresses that you should be able to find out).
Other Ports¶
On Linux, you can use commands such as netstat -tunlp or lsof -i to get a sense of currently open/listening ports and connections, and the associated processes.