Setup Firewall
Google Cloud Platform (GCP) Firewall
We now will go through the steps required to lock down our new Google Cloud Platform instance.
We will setup the instance's firewall SG to only allow inbound connections necessary for our node to operate properly.
Our outbound rules will be setup to only allow connections that were initiated from the instance.
VPC NETWORK
From the left main panel, scroll down to VPC Network β‘οΈ Firewall.
info
If necessary click on the δΈ to open the main panel
From the top you should notice we are inside our Project
You will also notice we have some default rules.
- Wide open access for
SSH
- Wide open access for
RDP
danger
You are dealing with crypto, so you want to have some tight security. You are in charge of your own DeFi here so if something goes wrong, no one is going to be able to help you.
info
This will affect your ability to access your node from anywhere, but security needs to be taken into consideration when dealing with finances.
Select the two default rules for SSH and RDP. Click the DELETE
button to clean up these unwanted open rules.
NEW RULES
- Click on the
CREATE FIREWALL RULE
option.
Now comes a little harder section. But, we can get through it!
Click here to get redirected to a website (https://www.whatipmyip.com
) that will identify your local IP address for you. Mark this IP address down. It is an important IP to remember.
You will use this IP address (your local IP address) as your Source
for the both ports 22
.
UNDERSTAND
This is going to restrict access to your node from this location only. If you want access into your node from other locations (like roaming on your mobile device), you will need to create a more complex rule here (out of scope of this document).
IMPORTANT
The less restrictive your access, the more vulnerable your node becomes.
Let's walk through the two Inbound Rules that we will need.
NAME
- Give our first rule a name.
ACCOUNT
- Assign this rule to our Specific service account.
SERVICE ACCOUNT
- Select
In this project
- We don't need a service account so we will choose
No service account
IP ADDRESS
Enter in our IP address that we retrieved from whatismyip.com
Add the
/32
to the ending
danger
Do not use 113.113.113.113/32, this is just an example
- Add our SSH port
22
rule back into our rule set, but this time lock it down to only allow our local IP inbound.
All the other options on this Create Firewall Rule
section should be left as is, no need to alter them unless you are an advanced user and want to update elements to suit your needs.
- Click on
CREATE
VERIFY SSH RULE
NEW RULE
Now, go through the exact same process as the π rule for our next rule.
- Click on the
CREATE FIREWALL RULE
option
- Add a name to the our firewall rule
Let's assign this rule to our Specified service account.
- Select
In this project
- We don't need a Service Account, so we will choose
No service account
We will tell our rule to let anything access these ports from the internet. Add /0
to the ending of 0.0.0.0
.
Example: 0.0.0.0/0
- Choose the Specified protocols and
ports
option - Check the
tcp:
box - Enter in
9000
followed by a-
(dash) and then9001
(no spaces)
All the other options on this Create Firewall Rule section should be left as is, no need to alter them unless you are an advanced user and want to update elements to suit your needs.
- Click on
CREATE
MAINNET, INTEGRATIONET, OR TESTNET LAUNCH REQUIREMENT
It is highly recommended that you use nodectl
to install and control/admin your node.
Please add to your firewall configuration ports 9010-9011
to allow access to your MainNet, IntegrationNet or TestNet validator node's Layer1 connection. To accomplish this, repeat the exact same steps you used to open up ports 9000-9001
.
VERIFY ALL OUR RULES
Our firewall security group is now properly setup to work with your future node. Congrats!