search

maded2 / plotng

PlotNG - plotting utility for Chia.Net
Apache License 2.0
128 stars 24 forks source link

Bind PlotNG to specific interface/address #63

Closed carlosvsilva closed 3 years ago

carlosvsilva commented 3 years ago

Hi. I would prefer to not have plotng getting Internet traffic and would much prefer to bind it to localhost only, can you please add support for that? Thanks :)

maded2 commented 3 years ago

PlotNG UI is designed to query multiple PlotNG servers to display a single consolidated view of all plotters. If PlotNG is forced to only serve localhost then this feature will not work. I suggest you can setup your PC firewall to block incoming traffic to the port (default 8444) for your specific setup.

carlosvsilva commented 3 years ago

But why can't the admin choose to not serve an open port on public interfaces? A firewall is for network level filtering around servers one has no control over. But since i'm running the server i should be able to just not expose a daemon on all interfaces, and keep it safely on 127.0.0.1 to reduce the attack surface. If I don't open daemons on internet connected interfaces there's no need for a firewall at all. Thanks.

CharlesWiltgen commented 3 years ago

@carlosvsilva, why not handle this in the same way you're dealing with all of the various ports (55400, 8555, 8559, 8560, 9256) that the Chia software itself opens?

carlosvsilva commented 3 years ago

All other daemons open mostly on 127.0.0.1 alone, apart from chia full node which I believe actually needs to receive connections from the Internet to sync and do its thing otherwise may not work well. I'm exploring with AppArmor see if I can confine chia node and farmer without breaking them. Other than chia, only SSH accepts outside authenticated connections for security. netstat output: ` Proto Recv-Q Send-Q Endereço Local Endereço Remoto Estado PID/Program name tcp 0 0 0.0.0.0:8444 0.0.0.0:* ESCUTA 2917/chia_full_node

tcp 0 0 0.0.0.0:8447 0.0.0.0:* ESCUTA 2915/chia_farmer

tcp 0 0 127.0.0.1:9256 0.0.0.0:* ESCUTA 2919/chia_wallet

tcp 0 0 127.0.0.1:55400 0.0.0.0:* ESCUTA 1777/chia_daemon

tcp 0 0 127.0.0.1:8555 0.0.0.0:* ESCUTA 2917/chia_full_node

tcp 0 0 127.0.0.1:8559 0.0.0.0:* ESCUTA 2915/chia_farmer

tcp 0 0 127.0.0.1:8560 0.0.0.0:* ESCUTA 2913/chia_harvester

tcp 0 0 127.0.0.53:53 0.0.0.0:* ESCUTA 1419/systemd-resolv

tcp 0 0 0.0.0.0:22 0.0.0.0:* ESCUTA 1654/sshd: /usr/sbi

tcp 0 0 127.0.0.1:631 0.0.0.0:* ESCUTA 1468/cupsd `

maded2 commented 3 years ago

Personal firewall is the only viable way to achieve the high security you are looking for. Just block all the ports you don't want to open.