Common Rules

Here are some common firewall rule configurations you can use to protect your RPC endpoints. Each example includes a detailed explanation and screenshot showing how to implement the rule in the Ironforge dashboard.

These examples demonstrate the flexibility of Ironforge's firewall rules and how they can be combined to create robust security policies. You can adapt and customize these rules based on your specific security requirements.

How to block requests from a specific IP address or range?

Projects in Solana and many other blockchains are exposed to the public internet. That might mean that bad actors could try to attack your RPC endpoints in order to get access to your private keys or to take them down. These actors are, in many cases automated bots that can try to abuse you RPC endpoints or your application by flooding it with requests.

Even though anticipating such attacks is extremely hard, you can mitigate them once detected by blocking the IP addresses that are causing the most damage. For that, in a firewall in allow all mode, when creating a rule:

• Set IPv4 as the property and the IP address you want to block as the value.
• Set the action to deny.

On the other hand, you might need to allow a whole range of IP addresses if multiple servers are running your code in the same subnet. For that, when creating the rule:

• Set IPv4 as the property, not equal as the operator and 192.168.* as the value (suppossing 192.168.0.0/16 is the range you want to allow).
• Set the action to deny.

This rule would deny all requests from an IP address not in the range 192.168.0.0/16

How to whitelist specific program addresses?

When developing on Solana, you might find yourself only wanting to allow requests from specfic programs that your team has deployed.

For this matter, you can create a whitelist rule that denies all requests except for the ones that include the program addresses you want to allow. For creating such rule, in a firewall in allow all mode`:

• Set Program Address as the property, is not any of as the operator and specify the programs to allow in a list separated by commas.
• Set the action to deny.

Bear in mind this rule would only be applied to requests including either sendTransaction or simulateTransaction methods.

How to block requests from any server?

Servers do not include an origin in the headers when performing a request. You can create a rule with a condition that matches any origin in the request, these would filter out all requests from any server. For that, in a firewall in allow all mode`

• Set Hostname as the property and * as the value.
• Set the action to deny.

How to block requests not containing a specific authentication token?

You can create a rule with a condition that specifies the authentication token value that tailors your needs. For that, in a firewall in allow all mode`

• Set Auth token as the property, not equal as the operator and you-shall-not-ass as the value.
• Set the action to deny.

Then all requests that lack the x-ironforge-auth-token HTTP header or have it not set to you-shall-not-ass will be blocked.

How to block requests with a wrong JWT token ?

When managing multiple projects accessing your RPC endpoints, using a single authentication token may not provide enough granularity and security. JWT tokens offer a more dynamic authentication approach, allowing each project to maintain its own signed tokens while sharing a common public key for verification.

To implement JWT-based authentication, with the firewall set to allow all mode`, create a rule with:

• Set JWT token as the property, not equal as the operator and specify your public key as the value
• Set the action to deny

This configuration will block any requests that either lack a JWT token in the Authorization HTTP header or contain an invalid token not signed by your specified public key.

How to blacklist RPC methods?

Sometimes, when your firewall is set to allow all mode, you might want to allow only certain RPC methods that fit your use case. For example, if working on a DeFi project, only getProgramAccounts, getMultipleAccounts, getBalanceandsendTransaction` methods could be the only ones needed. For that, when creating the rule

• Set Method as the property, is any of as the operator and select the methods you want to allow.
• Set the action to deny.

How to rate limit requests for a project?

You can create a rule with a condition that matches the project of the request and then set the action to rate limit. For that, in allow all mode, when creating the rule:

• Set Project as the property and select your desired project as the value.
• Set the action to rate limit.

Additionally, you can also rate limit requests by IP address within the same rule, by setting the rate limit to group requests by IP address instead of using a global rate limiter. For that, select IP address when configuring the action.

How to allow requests from a specific domain and API key?

When creating your Ironforge organization, you might need to create different projects based on the components of your application. One component could be a frontend and another one a backend.

Both components could have different needs, like rate limiting requests for frontend and allowing specific ip address for the backend.

As well, as frontends are public, any user could get access to your Ironforge API key from the frontend code. so, it would be a good practiceto only allow requests from the domain associated with your frontend project rather than any available domain, as bad actors could take advantage.

For that, in a firewall in allow all mode`,when creating the rule:

• Set Hostname as the property, not equal as the operator and specify the domain you want to allow.
• Set API Key as the property, not equal as the operator and specify the API key you want to allow (supposedly the one you have for your front end project).
• Set the action to deny.

This rule would deny all requests that come from the domain you chose but not including the specified API key