From 1c97380b0e370b8b02e4590caa581afb0a15460c Mon Sep 17 00:00:00 2001
From: Black Swan <3999712+blacks1ne@users.noreply.github.com>
Date: Sun, 1 Feb 2026 18:48:28 +0200
Subject: [PATCH 1/2] add firewall blocking private IP address range connection
 guidance

---
 docs/run-node/quick-start.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/docs/run-node/quick-start.md b/docs/run-node/quick-start.md
index 0b2425a..63f08bf 100644
--- a/docs/run-node/quick-start.md
+++ b/docs/run-node/quick-start.md
@@ -26,6 +26,26 @@ This can be achieved by setting `listenMultiaddr` to `/ip4/0.0.0.0/tcp/8336` and
 
 :::
 
+## IP Address Ranges to Block with Firewall on VDS
+
+Hosting providers for virtul dedicated servers (VDS) typically provide a public IP address while expecting the software running on your server to address other communication endpoints also via public IP addresses. Any attempts to communicate with private address ranges are typically interpreted by the hosting provider as a network attack with the warnings being sent to the server operator and, if not corrected quickly, with the server being suspended.
+Properly configured servers running nodes behind NAT can start with a private IP address but will quickly learn their public IP with the peer assistance and start broadcasting it instead of the initial private IP address.
+However, mis-configured nodes that cannot communicate with peers may end up broadcating private IP while provoking other nodes connecting to private IP address ranges.
+To prevent connection attempts to the private IP ranges on a VDS, the following firewalls rules can be added on Ubuntu Linux with `ufw` utility: 
+
+```bash
+# Block RFC1918 private address ranges
+ufw deny out to 10.0.0.0/8
+ufw deny out to 172.16.0.0/12
+ufw deny out to 192.168.0.0/16
+
+# Block multicast
+ufw deny out to 224.0.0.0/4
+
+# Block broadcast
+ufw deny out to 255.255.255.255
+```
+
 ## Node Install
 
 ### Recommended Install Method

From 077304fd289c2c5ad1ccd7a44347e027a063fdf1 Mon Sep 17 00:00:00 2001
From: Black Swan <3999712+blacks1ne@users.noreply.github.com>
Date: Mon, 2 Feb 2026 13:03:39 +0200
Subject: [PATCH 2/2] fine tuning

---
 docs/run-node/quick-start.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/run-node/quick-start.md b/docs/run-node/quick-start.md
index 63f08bf..d8fe6a8 100644
--- a/docs/run-node/quick-start.md
+++ b/docs/run-node/quick-start.md
@@ -26,12 +26,12 @@ This can be achieved by setting `listenMultiaddr` to `/ip4/0.0.0.0/tcp/8336` and
 
 :::
 
-## IP Address Ranges to Block with Firewall on VDS
+## IP Address Ranges to Block with Firewall on a Hosted Server
 
-Hosting providers for virtul dedicated servers (VDS) typically provide a public IP address while expecting the software running on your server to address other communication endpoints also via public IP addresses. Any attempts to communicate with private address ranges are typically interpreted by the hosting provider as a network attack with the warnings being sent to the server operator and, if not corrected quickly, with the server being suspended.
+Hosting providers commonly provide a public IP address while expecting the software running on your server to address other communication endpoints via public IP addresses. Any attempts to communicate with private address ranges are typically interpreted by the hosting provider as a network attack with the warnings being sent to the server operator and, if not corrected quickly, with the server network being suspended.
 Properly configured servers running nodes behind NAT can start with a private IP address but will quickly learn their public IP with the peer assistance and start broadcasting it instead of the initial private IP address.
 However, mis-configured nodes that cannot communicate with peers may end up broadcating private IP while provoking other nodes connecting to private IP address ranges.
-To prevent connection attempts to the private IP ranges on a VDS, the following firewalls rules can be added on Ubuntu Linux with `ufw` utility: 
+To prevent connection attempts to the private IP ranges, the following firewalls rules can be added on Linux with `ufw` utility: 
 
 ```bash
 # Block RFC1918 private address ranges