Minimum open ports for deployment

[Eithcowich]

I've been developing a 10 node setup, and kept ports 22000 - 22005 open. We are now moving to deployment and need to secure the system from outside hits. My questions are:

1. Can I entirely close the dashboard port at 22004? (So the dashboard would be visible only from localhost)

2. What is the purpose of the whisper port at 22001, and the WS port at 22005?

[dhyansraj]

1. Can I entirely close the dashboard port at 22004? (So the dashboard would be visible only from localhost)

Yes. If all of your nodes are in the same network, you can block the ports using firewall or even remove export from start script. If the nodes are in different network, you can add firewall rules to allow them or use a reverse proxy to use SSL and authentication.

2. What is the purpose of the whisper port at 22001, and the WS port at 22005? 22001 is for ethereum to broadcast each other and WS port is for subscribing to notifications for events.

[Eithcowich]

Thanks.

Can any node from the outside hit any of the open ports and get a response, or is communication limited to nodes in the Quorum network?

[Eithcowich]

I got a response from the quorum Slack. Here it is:

There is a flag named "--permissioned" that allows this. You supply a file 
called "permissioned-nodes.json" with the enode IDs of the nodes you want to allow to 
connect to/from. It should be the same format as the static-nodes.json file.

Check out this link for more details:
https://github.com/jpmorganchase/quorum/blob/master/docs/running.md#permissioned-network

Is Quorum Maker taking care of this? Generating the permissioned-nodes.json and starting the nodes with the --permissioned flag?

[rjbanner]

We don't use the permissioned-nodes.json file. Instead we implemented a whitelist feature and allow nodes to accept/reject dynamic join requests

[dhyansraj]

Not an issue. Closing. Please reopen otherwise.