Skip to content

open ports for domain node syncing in firewall #423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

open ports for domain node syncing in firewall #423

wants to merge 1 commit into from

Conversation

@DaMandal0rian
Copy link
Contributor

@DaMandal0rian DaMandal0rian commented Mar 4, 2025
edited by github-actions bot
Loading

PR Type

Enhancement

Description

  • Add ingress rule for TCP port 30333 for VPC

  • Add ingress rule for TCP port 30433 for VPC

  • Add ingress rule for TCP port 30334 for VPC

Changes walkthrough 📝

Relevant files
Enhancement
network.tf
New ingress rules for node syncing ports                                 

templates/terraform/subql/base/network.tf

  • Added three ingress blocks for new node syncing ports
  • Configured TCP ports 30333, 30433, and 30334
    		• +24/-0   
    Need help?
  • Type /help how to ... in the comments thread for any questions about PR-Agent usage.
  • Check out the documentation for more information.
    •

    @github-actions
    Copy link

    github-actions bot commented Mar 4, 2025

    PR Reviewer Guide 🔍

    Here are some key observations to aid the review process:

    ⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
    🧪 No relevant tests
    🔒 Security concerns

    The configuration allows ingress from any IP address due to the use of "0.0.0.0/0". If this exposure is not deliberate, consider limiting the CIDR blocks to trusted networks.

    ⚡ Recommended focus areas for review

    Security

    The new ingress rules permit traffic from "0.0.0.0/0", potentially exposing these ports to the public internet. Please verify if this is intentional or if restricting to a specific VPC CIDR range would be more secure.

     
      from_port   = 22
  to_port     = 22
  protocol    = "tcp"
  cidr_blocks = ["0.0.0.0/0"]
}

ingress {
  description = "TCP Node Port 30333 for VPC"
  from_port   = 30333
  to_port     = 30333
  protocol    = "tcp"
  cidr_blocks = ["0.0.0.0/0"]
}

ingress {
  description = "TCP Node Port 30433 for VPC"
  from_port   = 30433
  to_port     = 30433
  protocol    = "tcp"
  cidr_blocks = ["0.0.0.0/0"]
}

ingress {
  description = "TCP Node Port 30334 for VPC"
  from_port   = 30334
  to_port     = 30334
  protocol    = "tcp"
  cidr_blocks = ["0.0.0.0/0"]
}

egress {
  description = "egress for VPC"
  from_port   = 0

    @github-actions
    Copy link

    github-actions bot commented Mar 4, 2025

    PR Code Suggestions ✨

    Explore these optional code suggestions:

    CategorySuggestion                                                                                                                                    Impact
    Security
    Limit ingress CIDR exposure

    Restrict ingress CIDR ranges to trusted networks instead of using "0.0.0.0/0" to
    minimize exposure.

    templates/terraform/subql/base/network.tf [98-104]

     ingress {
   description = "TCP Node Port 30333 for VPC"
   from_port   = 30333
   to_port     = 30333
   protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  cidr_blocks = ["<trusted_network_cidr>"]
 }
    Suggestion importance[1-10]: 8

    __

    Why: The suggestion addresses a security concern by proposing to replace the overly permissive "0.0.0.0/0" with a more restrictive CIDR, which helps minimize exposure. However, the use of a placeholder requires further contextual adjustment, so the score is high but not perfect.

    		Medium

    @DaMandal0rian DaMandal0rian deleted the astral-taurus-ports branch March 4, 2025 12:45
    @DaMandal0rian
    Copy link
    Contributor Author

    DaMandal0rian commented Mar 4, 2025

    This is not needed the ports only need egress

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

    Reviewers

    @marc-aurele-besner marc-aurele-besner Awaiting requested review from marc-aurele-besner

    Assignees

    No one assigned

    Labels

    Review effort 2/5

    Projects

    None yet

    Milestone

    No milestone

    Development

    Successfully merging this pull request may close these issues.

    2 participants

    @DaMandal0rian