Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Why is whitelisting needed?

See original GitHub issue

nbxplorer suggests whitelisting its address for bitcoind peer connections:

Your NBXplorer server is not whitelisted by your node, you should add "whitelist=127.0.0.1" to the configuration file of your node`

The permissions granted by whitelist=127.0.0.1 are:

noban: do not ban for misbehavior
download: allow getheaders during IBD, no disconnect after maxuploadtarget limit
mempool: allow requesting BIP35 mempool contents
relay: relay even in -blocksonly mode, and unlimited transaction announcements

Which of these are actually required by nbxplorer? Whitelisting 127.0.0.1 with default permissions is problematic when running a bitcoind onion service that connects to localhost. In this case inbound onion connections won’t be banned when misbehaving.

There are two possible workarounds in bitcoind:

Whitebind localhost and add a separate onion socket (whitebind=127.0.0.1:8333, bind=127.0.0.1:8334=onion) This is incompatible with accepting inbound connections on all interfaces bind=0.0.0.0:8333 due to the port clash.
Bind the onion socket to a separate address on the loopback device (bind=10.0.0.1:8334=onion). This is requires changing the local interface configuration.

Both workarounds are unsatisfying, so it would be great to get rid of whitelisting or to only grant the minimum required permissions.

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:6 (3 by maintainers)

Top GitHub Comments

2reactions

NicolasDoriercommented, Nov 26, 2021

@Kixunil yes I would connect on unix socket if it was available. I don’t know about Electrs and the details of how bitcoin core work. I just know that when connection slots are full, you can’t connect unless you have some permissions (which I think is noban)

2reactions

Kixunilcommented, Nov 11, 2021

Is NBXplorer doing anything else beyond downloading blocks? Electrs should be similar and it only requires download. Would be nice to understand this.

Side note: I was already thinking of making a PR to Core that’d allow bind another P2P interface on Unix socket. That should resolve various permission issues. Would it be useful to you, @erikarvstedt? @NicolasDorier would you be willing to support it?

CC @romanz - you may be interested in this too.

Top Results From Across the Web

IP Whitelisting in 2023: Everything You Need to Know

The whitelisting of an IP address is a cybersecurity technique that gives IT administrators control over who can access business systems and resources....

Whitelisting explained: How it works and where it fits in a ...

In these contexts, “whitelisting” generally means taking manual steps to ensure that a certain IP address isn't blocked from accessing your site ......

The Basics of IP Whitelisting and How It Works

Whitelisting is a quick fix. After whitelisting your IP address, you'll be able to access your business's network. You can whitelist any workers ......

What is Whitelist (Allowlist)?

IT administrators use a whitelist as a quick and easy way to help safeguard computers and networks from potentially harmful threats or inappropriate...

What Is Whitelisting and How Should You Implement It?

A whitelist is “the cybersecurity list,” only giving administrator-approved programs, and IP and email addresses, system access. Whatever is not ...