# Configuring Sentries (for Validators)
Although not essential, it is highly recommended to configure at least one (preferably two or more) sentries to protect a validator node. Conceptually, sentries act as a P2P "firewall" for a validator node, protecting it from DDoS and other attacks. The validator node runs in private subnet and communicates only with its configured sentries, which relay information to and from the public blockchain network.
The Validator should have egress access to the Internet via a configured NAT or Proxy to allow for software updates etc.
This guide will outline the steps and configurations required to set up a 2-Sentry network. It will use generic IP addresses and pseudo firewall rules for demonstration purposes only and should therefore not be copied verbatim to your own configuration. SSH configuration is out of scope for this guide, which will only deal with the required P2P ports. It is assumed the reader has configured their own SSH tunnel, Bastion etc. for access to their nodes.
# Example Network
Cloud platforms each have their own methods for configuring public and private subnets. Generally, hosts on a private subnet will not be assigned a public IP and will require Internet access via a NAT gateway or similar. Hosts on a public subnet will be assigned a public IP, and will have direct access to the Internet. If the subnets are created within the same VPN, then communication should be possible between hosts on the different subnets.
Configuring VPNs and subnets is out of scope for this guide
Public IP: N/A
# Sentry 1
# Sentry 2
# Firewall Configuration
There should be two firewall rules covering P2P access - one for private access between sentries and the Validator, and another of public P2P access. For example:
- Validator - allow ingress on port
10.1.1.4/32(Sentry 1) and
- Sentries - allow ingres access on port
# Node Configuration
The Sentry nodes should be installed, running, and fully synced. Once fully synced, it is possible to reconfigure the
nodes to communicate directly with each other by editing the
All configuration parameters are in the
[p2p] section of
config.toml should contain somethign along the lines of:
seeds = "" pex = false persistent_peers = "sentr[email protected]:26656,[email protected]:26656" unconditional_peer_ids = "sentry_1_node_id,sentry_2_node_id" addr_book_strict = false
seedsis not required to be set, because the validator should not communicate directly with other P2P nodes that are not its sentries, or broadcast its P2P address.
pexis set to
false, since the validator will not broadcast or consume the wider network's P2P data.
persistent_peersis set to the two Sentry nodes' P2P addresses.
unconditional_peer_idsensures that the validator will always try to connect to the sentry nodes.
addr_book_strictallows the node address book to store private IP addresses, since
persistent_peersis configured to use the private IPs of the sentry nodes.
# Sentry 1
Sentry 1 should be configured to connect to the Validator and to Sentry 2, for example:
seeds = "[email protected]:26656,e66e0f89a[email protected]:26656" pex = true persistent_peers = "validator_no[email protected]:26656,[email protected]:26656," unconditional_peer_ids = "validator_node_id,sentry_2_node_id" private_peer_ids= "validator_node_id" addr_book_strict = false
seedsis set as normal, so that the Sentry can query for more P2P addresses and broadcast its own
pexis set to true to allow for P2P address propagation
persistent_peersis set to the Validator (private IP), and optionally Sentry 2. Note that for Sentry 2 the public IP is used, otherwise the private IP version of the node address would be stored in its address book and broadcast.
unconditional_peer_idsis set to the Validator's Node ID and optionally Sentry 2's Node ID
private_peer_idsis set to the Validator's Node ID to ensure that its P2P address is never gossiped/broadcast to the network.
addr_book_strictis set to false to allow the node to store the validator's private IP.
# Sentry 2
Sentry 2 should be configured to connect to the Validator and to Sentry 1, for example:
seeds = "[email protected]:26656,e66e0f89a[email protected]:26656" pex = true persistent_peers = "validator_no[email protected]:26656,[email protected]:26656," unconditional_peer_ids = "validator_node_id,sentry_1_node_id" private_peer_ids= "validator_node_id" addr_book_strict = false
Notes are similar to those outlined for Sentry 1.