Firewall Config for Storj User (Vice Node Operator)

I’m a Storj user (vice node operator). I need some documentation on which domains, IP addresses, and ports the Storj user client sends data to in order to effect backup. Can anyone send a link?

I am adding Storj as a backup mechanism for an existing public web accessible application. I’d like to back up the application’s data using Storj. The Storj backup works well when the application’s network enclave firewall is configured to accept all traffic. (By “enclave”, I mean a VLAN and subnet distinct from internal company LAN.) But that doesn’t meet security requirements. All traffic must be allowed only by exception and specifically declared rule.

I found firewall configuration info for node operators here and here. But that’s not my need. I’m a user–not node operator–on Storj.

My firewall log suggests the Storj client needs to contact 34.150.199.48 on port 7777 via TCP. But is that all it requires? I’d like to find documentation so my configuration can be as complete as possible.

(I understand that all domains and ports are subject to change. That’s OK. Anything declared in docs will get me started.)

Thanks!

Matt

Of course there are some fix IP’s (satellites & S3 gateway) which are static. But it is within the nature of Storj, that you need to be able to connect to all storj nodes and those ip’s can change on a daily base (aside that there is no public list of them).

Basically the native client connects to the satellite, which provides a list of 80 nodes/ips (per piece to upload) where to send the data to.

To get a rough idea of the Storjnetwork (which the client needs to reach) you can have a look at the “by subnets” section of https://storjnet.info/

As a workaround you may can use the gateway, which handles the splitting & upload to nodes for you: S3 Compatible Gateway Hosted by Storj - Storj Docs. Downside of it is you cannot use the maximum possible bandwith which storj can provide (as the gateway will be the bottleneck).

2 Likes

The public Storj nodes your backup data gets spread over are intentionally diverse, and change as needed to maintain fault-tolerance. It sounds like you need an exception made to your security policy. Policies are tailored to support business needs all the time.

Unless maybe you want to use one specific Select provider? You pay a bit more for that tier of service: but should end up with nodes within a narrow and static range of IPs.

1 Like

Solution from @Arkina worked best for my case. Storj (seemingly) hosts the S3 gateway at a single IP address which I allowed through the firewall on port 443.

Solution from @Roxor also very helpful. I could have scheduled the backup for a particular time and requested a security policy exception for that time only.

Thanks to both of you!

1 Like

This is incorrect assumption. The IP address of the gateway is a subject to change from time to time. So, you likely need to review your rules periodically or use the hostname instead of IPs (it also usually have several IPs, it may be resolved to IPv6 as well, but it’s a region-specific, the edge services are highly distributed).