2022-11-02 18:32:44 +00:00
2 changed files with 51 additions and 5 deletions
--- a/site-cookbooks/kosmos-ipfs/attributes/default.rb
+++ b/site-cookbooks/kosmos-ipfs/attributes/default.rb
@ -5,10 +5,6 @@ node.default['kosmos-ipfs']['api']['port'] = 5001
 node.default['kosmos-ipfs']['ipfs']['config'] = {
  # The default gateway is already used by kosmos' hubot (8080)
  "Addresses.Gateway" => "/ip4/127.0.0.1/tcp/9090",
-  # Do not keep track of bandwidth metrics. Disabling bandwidth metrics can
-  # lead to a slight performance improvement, as well as a reduction in memory
-  # usage.
-  'Swarm.DisableBandwidthMetrics' => true,
  # API with Web UI
  "Addresses.API" => "/ip4/0.0.0.0/tcp/5001",
  # Enable bandwith metrics
@ -19,7 +15,41 @@ node.default['kosmos-ipfs']['ipfs']['config'] = {
  # operation
  'Swarm.ConnMgr.HighWater' => 40,
  # Minimum number of connections to maintain
-  'Swarm.ConnMgr.LowWater' => 20
+  'Swarm.ConnMgr.LowWater' => 20,
+  # Do not dial out to these IP ranges
+  # We go a bit nuts on the 10.0 range definitions to allow dialouts on our own
+  # private network
+  'Swarm.AddrFilters' => [
+                          '/ip4/10.128.0.0/ipcidr/9',
+                          '/ip4/10.64.0.0/ipcidr/10',
+                          '/ip4/10.32.0.0/ipcidr/11',
+                          '/ip4/10.16.0.0/ipcidr/12',
+                          '/ip4/10.8.0.0/ipcidr/13',
+                          '/ip4/10.4.0.0/ipcidr/14',
+                          '/ip4/10.2.0.0/ipcidr/15',
+                          '/ip4/10.0.0.0/ipcidr/16',
+                          '/ip4/10.1.128.0/ipcidr/17',
+                          '/ip4/10.1.64.0/ipcidr/18',
+                          '/ip4/10.1.32.0/ipcidr/19',
+                          '/ip4/10.1.16.0/ipcidr/20',
+                          '/ip4/10.1.8.0/ipcidr/21',
+                          '/ip4/10.1.4.0/ipcidr/22',
+                          '/ip4/10.1.2.0/ipcidr/23',
+                          '/ip4/10.1.0.0/ipcidr/24',
+                          '/ip4/100.64.0.0/ipcidr/10',
+                          '/ip4/169.254.0.0/ipcidr/16',
+                          '/ip4/172.16.0.0/ipcidr/12',
+                          '/ip4/192.0.0.0/ipcidr/24',
+                          '/ip4/192.0.0.0/ipcidr/29',
+                          '/ip4/192.0.0.8/ipcidr/32',
+                          '/ip4/192.0.0.170/ipcidr/32',
+                          '/ip4/192.0.0.171/ipcidr/32',
+                          '/ip4/192.0.2.0/ipcidr/24',
+                          '/ip4/192.168.0.0/ipcidr/16',
+                          '/ip4/198.18.0.0/ipcidr/15',
+                          '/ip4/198.51.100.0/ipcidr/24',
+                          '/ip4/203.0.113.0/ipcidr/24',
+                          '/ip4/240.0.0.0/ipcidr/4'],
 }

 node.default['kosmos-ipfs']['nginx']['api_port'] = 5001
--- a/site-cookbooks/kosmos-ipfs/recipes/default.rb
+++ b/site-cookbooks/kosmos-ipfs/recipes/default.rb
@ -24,3 +24,19 @@ firewall_rule 'ipfs_api' do
  command  :allow
  logging  :connections
 end
+
+firewall_rule 'ipfs_local_p2p_allow_out' do
+  destination "10.1.1.0/24"
+  direction   :out
+  protocol    :none
+  command     :allow
+  logging     :connections
+end
+
+firewall_rule 'ipfs_local_p2p_deny_out' do
+  destination "10.0.0.0/8"
+  direction   :out
+  protocol    :none
+  command     :deny
+  logging     :connections
+end