I am running a node on a synology NAS. Beside the firewall and NAT of my router there is the synology-intern firewall.
What I want (and what is relatively common) is to open my NAS to the internet from country-wide IPs but not worldwide. What you want to do in that case is open all desired ports per IP and/or per country (Synology provides a lookup-service that categorizes the country the IP-request comes from and grants access or blocks).
At the end of the open-port-list you set an entry of “block all”. Since the topology is that the firewall rules are checked within the listed order and as soon as one rule fits, no further firewall check will be performed.
I now see trouble with the Storj node. Of course I have the TCP-service port 28967 incoming from any country open. The node works fine. Until a node update is performed. After that the node is down. I think this is because the satellites can not synchronize time or take any contact to the node. The satellites do not operate via TCP and not via 28967 as it seams.
I the synology Forum we already had the discussion but with no final result. There is said that beside the TCP28967 port there shall be the UDP-ports open for the satellite IPs (such as 184.108.40.206, 220.127.116.11, 18.104.22.168, etc.). And since the satellites communicate a random port ever time they contact, all ports shall be open to those special IPs.
So far so good.
My trouble now: This seams not to work very stable and fine. I am wondering what to do when the satelites change IP or a new satellite emerges?
Can any one help me find the correct firewall settings for my Synology NAS without exposing the whole NAS to the world? Is there even a possibility to run a node AND a county-based IP-Filter the same time?