Proper firewall configuration is critical for blockchain node security and optimal network connectivity. This chapter provides comprehensive coverage of port management, firewall configuration, and network security best practices for blockchain nodes.
┌─────────────────────────────────────────────────────────────────────────────┐
│ ETHEREUM NETWORK PORTS │
├─────────────────────────────────────────────────────────────────────────────┤
│ P2P NETWORKING (Required for node operation) │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ Port Protocol Purpose Access │
│ ━━━━ ━━━━━━━ ━━━━━━━━ ━━━━━━ │
│ 30303 TCP/UDP P2P networking Public (0.0.0.0) │
│ 30303 UDP Discovery (Discv5) Public │
│ Port Protocol Purpose Access │
│ ━━━━ ━━━━━━━ ━━━━━━━━ ━━━━━━ │
│ 8545 TCP HTTP JSON-RPC Internal only │
│ 8546 TCP WebSocket RPC Internal only │
│ 8550 TCP Engine API (Consensus) Internal only │
│ 8551 TCP Engine API (Auth) Internal only │
│ Port Protocol Purpose Access │
│ ━━━━ ━━━━━━━ ━━━━━━━━ ━━━━━━ │
│ 6060 TCP Prometheus metrics Internal │
│ 6061 TCP pprof debugging Internal │
│ 6062 TCP p2p debugging Internal │
└─────────────────────────────────────────────────────────────────────────────┘
Port Protocol Purpose Access 26656 TCP P2P networking Public 26657 TCP RPC API Internal 26660 TCP Prometheus metrics Internal 9090 TCP gRPC Internal 1317 TCP REST API Internal 26658 TCP P2P metrics Internal
Port Protocol Purpose Access 8333 TCP P2P networking (Mainnet) Public 8332 TCP RPC API (Mainnet) Internal 18333 TCP P2P networking (Testnet) Public 18332 TCP RPC API (Testnet) Internal
Port Protocol Purpose Access 8000-10000 TCP TPU (Transaction Processing) Public 8900 TCP RPC API Internal 8901 TCP WebSocket Internal 7070 TCP P2P networking Public
# View available applications
# Default policies - SECURE
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH with rate limiting (prevents brute force)
sudo ufw limit 22/tcp comment ' SSH with rate limiting '
# Allow P2P networking (Ethereum)
sudo ufw allow 30303/tcp comment ' Ethereum P2P TCP '
sudo ufw allow 30303/udp comment ' Ethereum Discovery UDP '
# Allow RPC only from specific IP (replace with your IP)
sudo ufw allow from 10.0.0.0/8 to any port 8545 proto tcp comment ' RPC from private network '
# Allow Prometheus metrics (internal only)
sudo ufw allow from 127.0.0.1 to any port 6060 proto tcp comment ' Prometheus '
# Allow Grafana (if running on same host)
sudo ufw allow from 127.0.0.1 to any port 3000 proto tcp comment ' Grafana '
# View rules before enabling
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 30303 -j ACCEPT
iptables -A INPUT -p udp --dport 30303 -j ACCEPT
# RPC (internal network only)
iptables -A INPUT -p tcp --s 10.0.0.0/8 --dport 8545 -j ACCEPT
iptables -A INPUT -p tcp --s 127.0.0.1 --dport 6060 -j ACCEPT
iptables-save > /etc/iptables/rules.v4
┌─────────────────────────────────────────────────────────────────┐
│ AWS SECURITY GROUP CONFIGURATION │
├─────────────────────────────────────────────────────────────────┤
│ Type Protocol Port Source Purpose │
│ ━━━━ ━━━━━━━━ ━━━━━━ ━━━━━━━━ ━━━━━━━━ │
│ Custom TCP TCP 30303 0.0.0.0/0 Ethereum P2P │
│ Custom TCP TCP 8545 10.0.0.0/16 RPC (private) │
│ SSH TCP 22 <YOUR_IP> Admin access │
│ Type Protocol Port Destination Purpose │
│ ━━━━ ━━━━━━━━ ━━━━━━ ━━━━━━━━━━ ━━━━━━━━ │
│ All Traffic ALL ALL 0.0.0.0/0 Default allow │
│ - Never open RPC to 0.0.0.0/0 │
│ - Use specific IP ranges for access │
│ - Enable only required ports │
│ - Use VPC for node isolation │
└─────────────────────────────────────────────────────────────────┘
# Allow P2P from anywhere
gcloud compute firewall-rules create allow-ethereum-p2p \
--description " Allow Ethereum P2P networking " \
--allow tcp:30303,udp:30303 \
--source-ranges 0.0.0.0/0 \
--target-tags blockchain-node
# Allow RPC from internal network
gcloud compute firewall-rules allow-ethereum-rpc \
--description " Allow Ethereum RPC from internal " \
--source-ranges 10.128.0.0/9 \
--target-tags blockchain-node
# Allow SSH from specific IP
gcloud compute firewall-rules allow-ssh \
--description " Allow SSH " \
--source-ranges <YOUR_IP>/32 \
--target-tags blockchain-node
--resource-group myResourceGroup \
--name blockchain-node-nsg
az network nsg rule create \
--resource-group myResourceGroup \
--nsg-name blockchain-node-nsg \
--source-address-prefix Internet \
--destination-port-range 30303 \
az network nsg rule create \
--resource-group myResourceGroup \
--nsg-name blockchain-node-nsg \
--source-address-prefix VirtualNetwork \
--destination-port-range 8545 \
┌─────────────────────────────────────────────────────────────────┐
├─────────────────────────────────────────────────────────────────┤
│ Port Public Internal Authentication Encryption │
│ ━━━━━ ━━━━━━ ━━━━━━━ ━━━━━━━━━━━━━ ━━━━━━━━━━ │
│ 30303 ✅ Yes ✅ Yes None None │
│ 8545 ❌ No ✅ Yes API Key TLS Optional│
│ 8546 ❌ No ✅ Yes API Key WSS │
│ 6060 ❌ No ✅ Yes None None │
│ 22 ❌ No ❌ No SSH Key + MFA SSH │
│ ✅ Yes - Required/Allowed │
└─────────────────────────────────────────────────────────────────┘
# Create isolated network namespace for node
sudo ip netns add blockchain-node
# Run node in isolated namespace
sudo ip netns exec blockchain-node geth [options]
# Or use Docker network isolation
docker network create --driver bridge blockchain-net
--network blockchain-net \
Issue Cause Solution P2P not connecting Firewall blocking Check ports 30303 TCP/UDP RPC timeout Wrong IP binding Bind to 0.0.0.0 or correct IP Discovery failing UDP blocked Enable UDP 30303 Metrics not exposed Port not enabled Enable —metrics flag
# Check if port is listening
sudo netstat -tlnp | grep 8545
sudo ss -tlnp | grep 8545
# Test external connectivity
nc -zv <external-ip> 30303
telnet <external-ip> 8545
sudo iptables -L -n | grep 8545
sudo ufw status | grep 8545
# Test from external location
curl http://<external-ip>:8545
Question Answer Which ports need to be open for Ethereum P2P? 30303 TCP and UDP How do you secure RPC access? Bind to localhost, use firewall, enable TLS What is the difference between P2P and RPC ports? P2P is for node-to-node communication, RPC is for client applications Why is UDP needed for Ethereum? For node discovery (Discv5 protocol) How do you restrict RPC to internal network? Use firewall rules or bind to internal IP
Always use least-privilege principle for firewall rules
Never expose RPC ports to the public internet
Use cloud provider security groups for cloud deployments
Implement rate limiting for SSH to prevent brute force
Test port connectivity after configuration
In Chapter 26: Node Bootstrap & Static Peers , we’ll explore node discovery and peer connections.
Last Updated: 2026-02-20