Firewall blocks Erigon CL peer discovery

[stefancristianco]

I am trying to run erigon in archive mode on a server hosted by Hetzner. They provide a free "stateless" firewall solution that I am trying to configure and in general all works well except CL peer discovery.

So, while firewall is active I always see in logs "peers=0". All works fine if I turn off the firewall and it also keeps working fine for a while, with firewall on, if trusted peers are already known.

This is how I configured the firewall rules:

All outgoing traffic is permitted, all incoming traffic is dropped unless it matches one of the rules.

Can someone please help explain what might be missing in my firewall rules?

[AskAlexSharov]

1. see our readme section about firewalls
2. see https://github.com/ledgerwatch/erigon/issues/6117#issuecomment-1328949007

[stefancristianco]

1. see our readme section about firewalls I checked this already. The erigon service provides RPC API to some local running apps. So, from what I can tell so far, the only ports that need to be exposed are 30303 and 30304. Did I miss anything?

2. see Hetzner port scanning (:4000) - Downloader: re-write "is ipv6 enabled" logic #6117 (comment) Yes, this issue looks similar. I hope the solution worked, let's see if anyone replies.

Thanks

[nikolinsko]

is erigon picking up your public ip correctly? a had to set --nat extip to get it to work on hetzner

[stefancristianco]

is erigon picking up your public ip correctly? a had to set --nat extip to get it to work on hetzner

Not sure how to answer. Erigon is working fine without firewall, and it's also being run from within a docker container.

[stefancristianco]

Today I got the second message from Hetzner with title "Network abuse". Their software is detecting an attack from my server running erigon. All this started happening right after I upgraded to latest tag v2.30.0 (I was previously running with alpha branch) and I've changed the configuration to use erigon internal CL instead of prysm. Note, that I've been using prysm since the merge and never had any issues.

The netscan snippet I got in the e-mail is highlighting UDP port 4000:

Thu Dec 8 20:12:24 2022 UDP ... 4000 => 100.74.129.239 30303 Thu Dec 8 20:13:36 2022 UDP ... 4000 => 100.74.129.239 30303 Thu Dec 8 20:14:26 2022 UDP ... 4000 => 100.74.129.239 30303 Thu Dec 8 20:14:47 2022 UDP ... 4000 => 100.74.129.239 30303 Thu Dec 8 20:14:53 2022 UDP ... 4000 => 100.74.129.239 30303 Thu Dec 8 20:12:36 2022 UDP ... 4000 => 100.73.229.248 19000 Thu Dec 8 20:13:26 2022 UDP ... 4000 => 100.73.229.248 19000 Thu Dec 8 20:14:05 2022 UDP ... 4000 => 100.73.229.248 19000

[nikolinsko]

i guess it wont help as the connection seems to be fine without the firewall settings.

Erigon picks up the local ip at my hetzner sever on startup without the nat extip flag, which seemed to lead to no connectivity:

[INFO] [12-09|18:47:26.211] Started P2P networking version=66 self=enode://a080614.....385a@**XX.XX.XX.XX**:30303 name=erigon/v2.30.0-dev-a8ac42f4/linux-amd64/go1.18

[github-actions[bot]]

This issue is stale because it has been open for 40 days with no activity. Remove stale label or comment, or this will be closed in 7 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 7 days with no activity.

[Giulio2002]

fixed by #7900