SGXWallet network configuration
SKALE node infrastructure includes two parts: SKALE node itself and SGX wallet. SGX wallet is a separate server that supports Intel SGX.
For security reasons SKALE node software requires firewall.
Node firewall is configured by SKALE node software. You can customize the rules though, but only if you now for sure that it does not break anything.
Firewall for SGX server should be configured manually. Expectation is the following: Node is that connected to SGX wallet should be able to send traffic through 1026, 1027, 1031 ports. For others this ports must be closed.
Below you can see configuration steps for SGX server that you can use directly or as an example.
Let’s assume your SGX wallet deployed to server with ip address
S.S.S.S and network interface
INT (you can find actual values using
ip a command)
Also you have 2 nodes with the following ip addresses:
Besides 1026,1027 and 1031 ports we will do the same for 1028,1029,1030 ports, because they are also listened by SGX wallet due to historical reasons, although they aren’t used.
Docker uses iptables under the hood, so it should be already installed on your system.
We also recommend to install
iptables-persistent to make sure custom rules will persists after reboot.
sudo apt-get install iptables-persistent
Since SGX is running using docker, we need to add custom configuration to DOCKER-USER chain.
This will prevent anyone except host to connect to docker exposed ports.
sudo iptables -I DOCKER-USER -i INT -p tcp -m multiport --dports 1026,1027,1028,1029,1030,1031 -j DROP
The following rules will open all exposed ports to
sudo iptables -I DOCKER-USER -s A.A.A.A -i INT -p tcp -m multiport --dports 1026,1027,1028,1029,1030,1031 -j ACCEPT sudo iptables -I DOCKER-USER -s B.B.B.B -i INT -p tcp -m multiport --dports 1026,1027,1028,1029,1030,1031 -j ACCEPT
Inserting in iptables is "adding on top", so the rules will be processed before the one, that was inserted in the previous section.
To test the setup we can ssh from nodes
B.B.B.B) and try to connect to SGX using
You can see the command for 1026 below:
telnet S.S.S.S 1026
You should see the following output:
Trying S.S.S.S... Connected to S.S.S.S. Escape character is '^]'.
All other clients should hang on the step and eventually return timeout:
Trying S.S.S.S... telnet: Unable to connect to remote host: Connection timed out
You can also use other tools such as
nmap to examine ports.