Protecting a forging node

We will be setting up a forging node F as well as 2 trusted nodes Nx. F will only ever connected to Nx, not accepting connections from any IP. We will then enforce this unidirectional communication with trusted nodes only by setting up firewalling rules on the forging node.

There is no requirement to have a specific number of trusted nodes but we recommend having no less than 2 for resiliency.
Trusted nodes architecture

trusted nodes architecture

Setup

The trusted nodes should be spread accross service providers and geographically to prevent concurrent outages. If all trusted nodes become unreachable at the same time then the forging node cannot operate.

All 3 nodes are installed on Ubuntu 20.04 LTS according to:

We will assume our forging node has the following example IPv4 adress: 192.0.0.1. We will additionally assume that our trusted nodes have the following IPv4 addresses:

  • 198.51.100.1

  • 203.0.113.1

All nodes are assumed to listen to port 4000.

Trusted nodes configuration
{
  network: {
    whitelistedPeers: [{
      // this is our forging node
      ip: "192.0.0.1",
      port: 4000
    }],
}
Forging node configuration
{
  network: {
    // Limit the maximum number of outbound connections to 2, the number of the trusted nodes
    maxOutboundConnections: 2,
    // Disallow inbound connections
    maxInboundConnections: 0,
    // Do not advertise our IPv4
    advertiseAddress: false,
    // Do not connect to any seed peer (the trusted nodes will be used, see below)
    seedPeers: [],
    // Those are our trusted nodes
    fixedPeers: [{198.51.100.1:4000, 203.0.113.1:4000}],
  }
}

Firewalling

We recommend only allowing incoming SSH (tcp/22) connections on the forging node. UFW is included by default on Ubuntu and can be used to that purpose. An alternative example using firehol can also be found below.

UFW example

To activate the UFW firewall with the desired configurations, run the following commands:

UFW example
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
sudo ufw status verbose

The last command’s output should be similar to:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere

Refer to https://ubuntu.com/server/docs/security-firewall for more information.

firehol example

sudo apt-get --assume-yes install firehol (1)
sudo vim /etc/firehol/firehol.conf (2)
1 Installs firehol
2 Opens the firehol config file

Paste the following contents into the firehol config file:

Sample /etc/firehol/firehol.conf
interface eth0 wan
  policy drop
  server icmp accept
  server ssh accept
  client all accept

Press Esc + : w q + Enter to save the file and quit.

Now run the following commands:

sudo firehol try (1)
sudo sed -i 's/^START_FIREHOL=.*$/START_FIREHOL=yes/' /etc/default/firehol (2)
1 Checks the configuration and then activates the firewall. This commands will ask for confirmation as a fail-safe and will reverse all changes if none is given after 30 seconds.
2 Sets START_FIREHOL=yes in /etc/default/firehol which will start the firewall automatically at boot time.

Refer to https://firehol.org/ for more information.