OK. I got this INFO in the log. Actually many of them one after each other.
Jan 14 17:01:46 server storagenode[1210]: 2022-01-14T17:01:46.157Z INFO failed to send packet: write udp XX.XX.XX.XX:47377->104.154.195.27:9000: write: operation not permitted
XX.XX.XX.XX is node IPv4. What is with port 47377? Should we even open this in the firewall? 9000?
i don’t think thats an issue on your side… some connections just fails for various reasons.
if it shows up a lot i would look at it… but else it is most likely irrelevant…
my firewall is pretty strict and i got no issues.
Thought the same, but what’s with port 47377? My firewall does not allow using it. Maybe that’s why I see this in the log. Are there other “secret” ports we should open for the storage node to function properly? 
not that i’m aware off, looks like its an outgoing packet so really your firewall should just allow it.
i just run a slightly modified version of pfsense… and all i had to do was setup the NAT for the storagenode port on UDP and TCP.
i think pfsense default blocks local traffic from going out and blocks all ingoing that not replying to opened connections and then it allows most outgoing online stuff from the network, which software then can use to keep connections open to await reply’s and thus have two way communication, even when “everything is blocked”.
setting up a 100% custom firewall is pretty tricky and pretty much unrequired today, as there are plenty of good easy solutions to use like pfsense.
personally i wouldn’t even try to make my own firewall from scratch, because i think it would be less secure, more difficult to use and cause a ton of problems.
i think you are fine… just enjoy that it’s working now lol
Will check out.
Not really, if you know what you need, but this port is not mentioned anywhere.
For your node to operate efficiently, you should not block any outgoing ports. As for firewall rules, you only need to open the one incoming port on TCP/UDP as described in the documentation.
I have raised that question about the unknown ports some time ago as well. No profound answer on that…
Seriously? 
It should be addressed, indeed. I would not like to leave unused ports open.
Fully agree. At least it should be explained, what it means.
like i stated i believe that is the common praxis for most firewalls today, even on an enterprise level, ofc which pfsense is one of the major open source providers.
one will need two way communication over many ports for most modern services, and to avoid people being able to affect ones network, its controlled by the internal network requesting using the port, opening a connection which is then allowed to be answered over that same port number, maybe from specific online addresses…
the nitty gritty of it all gets very advanced which is why i doubt making ones own firewall is a viable option… ofc it is very secure if most stuff doesn’t work.
until hit by something that one didn’t anticipate, the it might be more flawed than the standards of the industry.
your computer would also be much more secure if the OS disk was read only and upon reboot everything resets, but thats not really very viable.
I solved all my network security issues by disconnecting the machine from all network.
and…
Business goes so much more smoothly without all the customers.
definitely. As per documentation.
If you run storagenode on the Enterprise server with a lot of employers behind it - you probably need to block outgoing connections for unknown ports, but this is the end for the storagenode, because it’s a p2p software, it’s designed to use not static ports.
You can use literally any.
So, if you would start to block outgoing connections, your download rate will go to zero. With a high probability your node will be considered as offline by the satellites too (because they will not receive responses on audit requests) and sooner or later it will be disqualified.
If you want to run storagenode - do not block any outgoing connections from the storagenode, you should allow only one port for inbound connections - the node’s port, all remained may be blocked.
one could ofc set it up so that only the storagenode is allowed to make any outgoing connection.