Firewall: All Ports Required For A Node To Function Properly?

Security is a concern. I notice some activity from the storage nodes on weird undocumented ports. Where could we check all the ports, which are required to be open, for a storage node to function properly? I notice activity on port 47377 (INFO failed to send packet: operation not permitted?), some users report port 53, 39889, 56941… Download Timeouts - what can I do? - #5 by Bivvo
Any more surprises, STORJ team? :slight_smile:

1 Like

This is not a surprise or a security concern. It is almost universal that in non-enterprise environments no outgoing ports are blocked. I would expect this is the case in 99.9% of consumer networks. A client could use any port they want to download a piece from you, and you yourself could run your node on any port you wish. You shouldn’t block outgoing ports for this reason, or you will have poor download success rates (you will be blocking others from downloading from you). The only security reason to block outgoing ports is if you want to block users from running services on their devices. You aren’t increasing security by blocking your node machine from making outgoing connections (unless you expect your machine to start making rogue connections to the outside world).

The only incoming ports you are required to open are the ones you run your nodes on.

6 Likes

Throwing iptables -t filter -P OUTPUT DROP to the trash can then and let’s see… What about FORWARD DROP unless specified to ACCEPT?

I’ve got 16 nodes hosted on a single IP. By design they have to be on different ports, because each has a separate listening socket. I pick some random ones, so that I can teach security-oversensitive customers about networking.

Stack Exchange Q/A …

https://security.stackexchange.com/questions/24310/why-block-outgoing-network-traffic-with-a-firewall

The short answer is:

Blocking outgoing ports is of limited security value for common and garden variety home networks. Very high value Enterprise servers containing sensitive data should probably have outgoing ports blocked and monitored. Other than that, it’s unnecessary and will probably cause significant problems with peer-to-peer data transfer networks such as Storj.


It’s useful to remember that the “centralized” portion of the Storj Network simply doles out node lists and keeps billing records. Each Storj client connects to each Storj node in a peer-to-peer mode. So, if you close outgoing ports, no one is going to be able to make complete connections to your node.

I am running many of those, so I take it you understand my initial concern.

First block all then allow only what is used. If we know which ports are used, this would be best. Obviously it is not only the port 28967.

But you don’t and can’t know this…

Thus your problems with connections you list in other threads.

It’s not advisable to run a Storj node on a sensitive server.

1 Like

For sure I run all my nodes on there own separate network away from my sensitive network.

Open outgoing ports…

We’re talking about Exfiltration…

https://towardsdatascience.com/data-analysis-for-cybersecurity-101-detecting-data-exfiltration-ae887594f675

99.9999% of information stored on Internet accessible machines is worthless.

The 0.00001% that is worth protecting is what I’ve termed “sensitive”.

I’m not talking about the 10 credit card numbers listed in plain text on your personal computing platform…

I’m talking about 100,000 patient medical records in your database… or the random TS/SCI document sitting in your VPN cache after remotely editing that memo on Nuclear Weapons…

Don’t run a Storj node on those machines… and block all outgoing ports.

Everything else on the Internet is just noise – script kiddies trying to hit a jackpot or some botnet trying to find zombie machines for a DDoS.

1 Like