Security

Firewall & Security Configuration

⚠️ Critical Security Setup - Configure UFW firewall to secure your Namada infrastructure.

Replace placeholders:

yourdomain.com - Your actual domain

✅ Firewall Setup (UFW)

Why Firewall Configuration Matters

Proper firewall setup is critical for:

Security - Block unauthorized access
Service Protection - Expose only necessary ports
DDoS Mitigation - Reduce attack surface
Compliance - Follow security best practices

⚠️ Important Notes

Before starting:

Ensure you have console/KVM access to your server
SSH access might be temporarily interrupted
Test immediately after applying rules
Keep a recovery method ready

✅ Installation & Configuration

1. Update System

sudo apt-get update && sudo apt-get upgrade -y

2. Install UFW

apt update
apt install ufw -y

3. Apply UFW Configuration

# Reset firewall to clean state
ufw --force reset

# Set default policies
ufw default deny incoming
ufw default allow outgoing

# Allow SSH (CRITICAL - Do not skip!)
ufw allow 22/tcp

# Allow NGINX HTTP/HTTPS
ufw allow 80/tcp
ufw allow 443/tcp

# Allow CometBFT P2P
ufw allow 26656/tcp

# Allow Namada RPC
ufw allow 26657/tcp

# Block Namada ABCI (internal only)
ufw deny 26658/tcp

# Enable firewall
ufw enable

# Verify configuration
ufw status numbered

Expected output:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 80/tcp                     ALLOW IN    Anywhere
[ 3] 443/tcp                    ALLOW IN    Anywhere
[ 4] 26656/tcp                  ALLOW IN    Anywhere
[ 5] 26657/tcp                  ALLOW IN    Anywhere
[ 6] 26658/tcp                  DENY IN     Anywhere

✅ Verification & Testing

4. Test All Services Immediately

⚠️ CRITICAL: Test immediately after enabling firewall!

# Test RPC endpoint
curl -vk https://housefire.rpc.yourdomain.com/

# Test Indexer API
curl -vk https://housefire.indexer.yourdomain.com/api/v1/pos/validator/all

# Test UI interface
curl -vk https://housefire.ui.yourdomain.com/

# Test MASP Indexer API
curl -vk https://housefire.masp-indexer.yourdomain.com/api/v1/height

# Check validator connectivity
curl -s localhost:26657/net_info | grep n_peers

Expected responses:

RPC: JSON response with node status
Indexer: List of validators in JSON
UI: HTML content
MASP Indexer: {"block_height": ...}
Peers: "n_peers": "10" (or similar number)

✅ Monitoring

5. Monitor for Issues

# Check NGINX access logs
tail -f /var/log/nginx/access.log

# Check NGINX error logs
tail -f /var/log/nginx/error.log

# Check Docker services status
docker ps | grep -E "(indexer|masp)"

# Check Namada service
sudo systemctl status namadad

# Monitor firewall logs
sudo tail -f /var/log/ufw.log

Check Validator Peers

# Check connected peers
curl -s localhost:26657/net_info | jq '.result.n_peers'

# List all peers
curl -s localhost:26657/net_info | jq '.result.peers[].node_info.moniker'

# Check sync status
curl -s localhost:26657/status | jq '.result.sync_info'

✅ Troubleshooting

6. Emergency Disable (If Services Fail)

⚠️ Only use if critical services are down!

# Temporarily disable firewall
ufw disable

# Test services again
curl -vk https://housefire.rpc.yourdomain.com/

# If services work, firewall was blocking something
# Check rules carefully before re-enabling

Common Issues & Solutions

Issue 1: SSH Connection Lost

Symptom: Cannot connect via SSH after enabling firewall

Solution:

# Via console/KVM access
ufw allow 22/tcp
ufw reload

# Or temporarily disable
ufw disable

Issue 2: Validator Not Connecting to Peers

Symptom: n_peers: 0 or very low peer count

Solution:

# Verify P2P port is open
ufw status | grep 26656

# Check if port is listening
netstat -tulpn | grep 26656

# Test P2P connectivity
telnet your-server-ip 26656

Issue 3: NGINX Services Not Accessible

Symptom: 403/502/504 errors on web endpoints

Solution:

# Verify ports 80/443 are allowed
ufw status | grep -E "80|443"

# Check NGINX status
sudo systemctl status nginx

# Check NGINX logs
sudo tail -f /var/log/nginx/error.log

# Test local connections
curl http://localhost:5001/health  # Indexer
curl http://localhost:5000/health  # MASP Indexer

Issue 4: Docker Services Can't Connect

Symptom: Indexers can't reach RPC/database

Solution:

# Docker containers use host network
# Check Docker network
docker network ls

# Verify container logs
docker logs namada-indexer-webserver-1
docker logs masp-indexer-crawler-1

# Allow Docker subnet (if needed)
ufw allow from 172.17.0.0/16 to any

✅ Advanced Security Rules

Additional Hardening (Optional)

# Limit SSH connections (rate limiting)
ufw limit 22/tcp

# Allow SSH from specific IP only
ufw allow from YOUR_IP_ADDRESS to any port 22

# Allow RPC only from specific IPs (for private validators)
ufw allow from TRUSTED_IP to any port 26657

# Block all other incoming traffic
ufw default deny incoming

# Enable logging
ufw logging on

IP Whitelisting for Admin Access

# Allow only your IP for SSH
ufw delete allow 22/tcp
ufw allow from YOUR_IP_ADDRESS to any port 22

# Allow your IP for all services
ufw allow from YOUR_IP_ADDRESS

✅ Firewall Rules Summary

Port

Protocol

Service

Action

Purpose

TCP

SSH

ALLOW

Remote server access

TCP

HTTP

ALLOW

NGINX HTTP (redirects)

443

TCP

HTTPS

ALLOW

NGINX HTTPS (secure)

26656

TCP

CometBFT P2P

ALLOW

Validator peer connections

26657

TCP

Namada RPC

ALLOW

RPC API access

26658

TCP

Namada ABCI

DENY

Internal only (security)

5000

TCP

MASP Indexer

Proxied via NGINX

5001

TCP

Namada Indexer

Proxied via NGINX

5432

TCP

PostgreSQL

Docker internal only

Note: Ports 5000, 5001, and 5432 are NOT exposed to the internet - they're only accessible via NGINX reverse proxy (443) or Docker internal network.

✅ Quick Command Reference

# Check firewall status
ufw status numbered
ufw status verbose

# Enable/disable firewall
ufw enable
ufw disable

# Add new rule
ufw allow PORT/tcp
ufw deny PORT/tcp

# Delete rule by number
ufw delete NUMBER

# Delete rule by specification
ufw delete allow 80/tcp

# Reset all rules
ufw --force reset

# Reload firewall
ufw reload

# Check logs
tail -f /var/log/ufw.log

# Test services
curl -vk https://housefire.rpc.yourdomain.com/
curl -vk https://housefire.indexer.yourdomain.com/health
curl -vk https://housefire.masp-indexer.yourdomain.com/api/v1/height
curl -s localhost:26657/net_info | jq '.result.n_peers'

✅ Post-Configuration Checklist

After enabling firewall, verify:

SSH connection still works
NGINX serves all domains (rpc, indexer, masp-indexer, ui)
Validator connects to peers (n_peers > 0)
Indexer services respond to health checks
Docker containers are running
NGINX logs show no errors
Firewall rules are correctly numbered
No unauthorized ports are exposed

✅ Security Best Practices

Never expose database ports (5432) to the internet
Always use HTTPS for public endpoints
Enable rate limiting for SSH (use ufw limit 22/tcp)
Monitor logs regularly for suspicious activity
Keep firewall rules minimal - only open what's necessary
Use IP whitelisting for administrative access when possible
Regular security audits - review open ports monthly
Enable fail2ban for additional protection against brute force

✅ Additional Resources

PreviousNamadillo NextServices

Last updated 2 months ago