Merge branch 'master' of https://github.com/nuriel77/iri-playbook

nuriel77 · Jan 21, 2018 · 3817d6f · 3817d6f
2 parents de64a35 + 6d93702
commit 3817d6f
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 11 deletions.
diff --git a/docs/remote-access.rst b/docs/remote-access.rst
@@ -55,18 +55,44 @@ After IRI initializes, you will see (by issuing ``lsof -Pni|grep java``) that th
 Expose IRI API Port in Firewall
 -------------------------------
 
-On **CentOS** we run the command:
+Allowing the port via the playbook
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+If you followed the steps above (enabling the ``--remote`` option in the configuration file) you will need to allow the port in the firewall.
+
+You can do this using the playbook which as a bonus also adds rate limiting (approximately max. 6 connections per 30 seconds).
+
+On **CentOS**::
+
+  cd /opt/iri-playbook && git pull && ansible-playbook -i inventory -v site.yml --tags=iri_firewalld -e api_port_remote=yes
+
+On **Ubuntu**::
+
+  cd /opt/iri-playbook && git pull && ansible-playbook -i inventory -v site.yml --tags=iri_ufw -e api_port_remote=yes
+
+
+Allowing the port manually
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+On **CentOS** we run the command (which also adds rate limiting):
 
 .. code:: bash
 
-   firewall-cmd --add-port=14265/tcp --zone=public --permanent && firewall-cmd --reload
+   firewall-cmd --remove-port=14265/tcp --zone=public --permanent && firewall-cmd --zone=public --permanent --add-rich-rule='rule port port="14265" protocol="tcp" limit value=10/m accept' && firewall-cmd --reload
+
 
-And on **Ubuntu**:
+
+On **Ubuntu**:
 
 .. code:: bash
 
    ufw allow 14265/tcp
 
+And to add rate limits:
+
+.. code:: bash
+
+   ufw limit 14265/tcp comment 'IRI API port rate limit'
+
 
 Now you should be able to point your (desktop's) light wallet to your server's IP:port (e.g. 80.120.140.100:14265)
 

diff --git a/roles/iri/tasks/firewalld.yml b/roles/iri/tasks/firewalld.yml
@@ -18,9 +18,9 @@
     state: enabled
     immediate: yes
 
-- name: allow iri api port in firewall
+- name: allow and rate limit api port in firewall
   firewalld:
-    port: "{{ iri_api_port }}/tcp"
+    rich_rule: 'rule port port={{ iri_api_port }} protocol=tcp limit value="12/m" accept'
     permanent: true
     state: enabled
     immediate: yes

diff --git a/roles/iri/tasks/ufw.yml b/roles/iri/tasks/ufw.yml
@@ -12,12 +12,29 @@
     proto: udp
     port: "{{ iri_udp_port }}"
 
-- name: allow iri api port in firewall
-  ufw:
-    rule: allow
-    direction: in
-    proto: tcp
-    port: "{{ iri_api_port }}"
+- name: ufw iri port
+  block:
+    - name: allow iri api port in firewall
+      ufw:
+        rule: allow
+        direction: in
+        proto: tcp
+        port: "{{ iri_api_port }}"
+        log: yes
+
+    # ufw supports connection rate limiting, which is useful for protecting
+    # against denial of service attacks. ufw will deny connections if an IP
+    # address has attempted to initiate 6 or more connections in the last
+    # 30 seconds. See  http://www.debian-administration.org/articles/187
+    # for details.
+    - name: rate limit iri api port in firewall
+      ufw:
+        rule: limit
+        direction: in
+        proto: tcp
+        port: "{{ iri_api_port }}"
+        log: yes
+
   when: api_port_remote is defined and api_port_remote
 
 - name: allow ssh port firewall