Allow IPFS connections on private network

(HAProxy is now also using the private network.) This fixes IPFS connections to Kosmos nodes from outside the network, as well as in between nodes on the private network.
2022-11-02 14:06:07 +01:00 · 2022-11-02 14:06:07 +01:00 · b1922d26f6
parent f7ff1248fe
commit b1922d26f6
2 changed files with 51 additions and 5 deletions
--- a/site-cookbooks/kosmos-ipfs/attributes/default.rb
+++ b/site-cookbooks/kosmos-ipfs/attributes/default.rb
@ -5,10 +5,6 @@ node.default['kosmos-ipfs']['api']['port'] = 5001
 node.default['kosmos-ipfs']['ipfs']['config'] = {
  # The default gateway is already used by kosmos' hubot (8080)
  "Addresses.Gateway" => "/ip4/127.0.0.1/tcp/9090",
-  # Do not keep track of bandwidth metrics. Disabling bandwidth metrics can
-  # lead to a slight performance improvement, as well as a reduction in memory
-  # usage.
-  'Swarm.DisableBandwidthMetrics' => true,
  # API with Web UI
  "Addresses.API" => "/ip4/0.0.0.0/tcp/5001",
  # Enable bandwith metrics
@ -19,7 +15,41 @@ node.default['kosmos-ipfs']['ipfs']['config'] = {
  # operation
  'Swarm.ConnMgr.HighWater' => 40,
  # Minimum number of connections to maintain
-  'Swarm.ConnMgr.LowWater' => 20
+  'Swarm.ConnMgr.LowWater' => 20,
+  # Do not dial out to these IP ranges
+  # We go a bit nuts on the 10.0 range definitions to allow dialouts on our own
+  # private network
+  'Swarm.AddrFilters' => [
+                          '/ip4/10.128.0.0/ipcidr/9',
+                          '/ip4/10.64.0.0/ipcidr/10',
+                          '/ip4/10.32.0.0/ipcidr/11',
+                          '/ip4/10.16.0.0/ipcidr/12',
+                          '/ip4/10.8.0.0/ipcidr/13',
+                          '/ip4/10.4.0.0/ipcidr/14',
+                          '/ip4/10.2.0.0/ipcidr/15',
+                          '/ip4/10.0.0.0/ipcidr/16',
+                          '/ip4/10.1.128.0/ipcidr/17',
+                          '/ip4/10.1.64.0/ipcidr/18',
+                          '/ip4/10.1.32.0/ipcidr/19',
+                          '/ip4/10.1.16.0/ipcidr/20',
+                          '/ip4/10.1.8.0/ipcidr/21',
+                          '/ip4/10.1.4.0/ipcidr/22',
+                          '/ip4/10.1.2.0/ipcidr/23',
+                          '/ip4/10.1.0.0/ipcidr/24',
+                          '/ip4/100.64.0.0/ipcidr/10',
+                          '/ip4/169.254.0.0/ipcidr/16',
+                          '/ip4/172.16.0.0/ipcidr/12',
+                          '/ip4/192.0.0.0/ipcidr/24',
+                          '/ip4/192.0.0.0/ipcidr/29',
+                          '/ip4/192.0.0.8/ipcidr/32',
+                          '/ip4/192.0.0.170/ipcidr/32',
+                          '/ip4/192.0.0.171/ipcidr/32',
+                          '/ip4/192.0.2.0/ipcidr/24',
+                          '/ip4/192.168.0.0/ipcidr/16',
+                          '/ip4/198.18.0.0/ipcidr/15',
+                          '/ip4/198.51.100.0/ipcidr/24',
+                          '/ip4/203.0.113.0/ipcidr/24',
+                          '/ip4/240.0.0.0/ipcidr/4'],
 }

 node.default['kosmos-ipfs']['nginx']['api_port'] = 5001
--- a/site-cookbooks/kosmos-ipfs/recipes/default.rb
+++ b/site-cookbooks/kosmos-ipfs/recipes/default.rb
@ -24,3 +24,19 @@ firewall_rule 'ipfs_api' do
  command  :allow
  logging  :connections
 end
+
+firewall_rule 'ipfs_local_p2p_allow_out' do
+  destination "10.1.1.0/24"
+  direction   :out
+  protocol    :none
+  command     :allow
+  logging     :connections
+end
+
+firewall_rule 'ipfs_local_p2p_deny_out' do
+  destination "10.0.0.0/8"
+  direction   :out
+  protocol    :none
+  command     :deny
+  logging     :connections
+end