6.1 Firewall Settings
A tightly controlled firewall lets your node participate in peer-to-peer networks while blocking unsolicited traffic. This page lists the mandatory ports for each supported blockchain client of the LUKSO network, followed by firewall commands to open their communication channels and check current their current status.
Please ensure you have a basic understanding of blockchain networks before operating a node. If you're not yet familiar with Proof of Stake, Tokenomics, Panelties, Client Types or Client Providers, please refer to the 🧠 Theory section.
1. Open Network Ports
Your node needs specific inbound ports open so that execution and consensus clients can exchange blocks, transactions, and peer‑discovery messages. Below is a list of the TCP and UDP ports each client uses. By opening these ports on your node’s firewall, you ensure that your client stays in sync and reachable by the wider network.
Consensus clients rely on broad outbound connectivity to discover other nodes, meaning only inbound traffic will be restricted.
| PORT | CLIENT | DESCRIPTION | TCP | UDP |
|---|---|---|---|---|
| 30303 | Geth ↗ Erigon ↗ Nethermind ↗ Besu ↗ | Execution Chain Data & Discovery | ✔️ | ✔️ |
| 9000 | Lighthouse ↗ Teku ↗ Nimbus-Eth2 ↗ | Beacon Gossip & Data | ✔️ | ✔️ |
| 13000 | Prysm ↗ | Beacon Gossip, Requests, Responses | ✔️ | |
| 12000 | Prysm ↗ | Beacon Discovery, Data Exchange | ✔️ |
Clients use extra ports for monitoring, which don't need firewall exposure. Check the Monitoring chapter for details.
2. Configure Firewall
You can apply the specific port settings to your firewall.
The following step is performed on your 💻 personal computer.
2.1 Node Connection: Log in to your node if you are not already connected.
ssh <ssh-device-alias>
The following steps are performed on your 📟 node server.
2.2 Add Port Rules: Allow the TCP and UDP ports depending on which clients you want to operate.
You will have to chose one execution client and one consensus client.
- Execution Clients: Geth, Erigon, Nethermind, Besu
- Consensus Clients: Prysm, Lighthouse, Teku, Nimbus-Eth2
Further details about Client Types and Client Providers can be found in the 🧠 Theory section.
- Geth, Erigon, Nethermind, Besu
- Lighthouse, Teku, Nimbus-Eth2
- Prysm
sudo ufw allow 30303/tcp
sudo ufw allow 30303/udp
sudo ufw allow 9000/tcp
sudo ufw allow 9000/udp
sudo ufw allow 13000/tcp
sudo ufw allow 12000/udp
The output of each command should always show:
Rule added
Rule added (v6)
2.3 Check Configuration: Verify the new firewall rules.
sudo ufw status
The output should look similar to this:
- Execution Client + Lighthouse, Teku, or Nimbus-Eth2
- Execution Client + Prysm
Status: active
To Action From
-- ------ ----
<preferred-ssh-port>/tcp ALLOW Anywhere
30303/tcp ALLOW Anywhere
30303/udp ALLOW Anywhere
9000/tcp ALLOW Anywhere
<preferred-ssh-port>/tcp (v6) ALLOW Anywhere (v6)
30303/tcp (v6) ALLOW Anywhere (v6)
30303/udp (v6) ALLOW Anywhere (v6)
9000/tcp (v6) ALLOW Anywhere (v6)
Status: active
To Action From
-- ------ ----
<preferred-ssh-port>/tcp ALLOW Anywhere
30303/tcp ALLOW Anywhere
30303/udp ALLOW Anywhere
13000/tcp ALLOW Anywhere
12000/udp ALLOW Anywhere
<preferred-ssh-port>/tcp (v6) ALLOW Anywhere (v6)
30303/tcp (v6) ALLOW Anywhere (v6)
30303/udp (v6) ALLOW Anywhere (v6)
13000/tcp (v6) ALLOW Anywhere (v6)
12000/udp (v6) ALLOW Anywhere (v6)
The <preferred-ssh-port> property will be exchanged with your actual SSH port.
If something is missing, retry to apply the above rules or have a look into the firewall configuration for further details.
If all required ports are featured with the ALLOW property, your node’s local firewall is correctly configured. To expose these ports at the network level, you will have to proceed to configure the router’s port forwarding rules.
If you need to modify the firewall rules, such as removing an unwanted port rule, you can list them all.
sudo ufw status
To delete a specific port rule using UFW, type the <rule-number> that is no longer required.
sudo ufw delete <rule-number>