GEP for enhancing security of nodes in homes or behind a NAT firewall

It has come to our attention that some grid users use VMs for sending SPAM, which creates issues for the farmer in relation to their ISP.
Since we have some other security features that we want to implement, we’ll add all 3 features in one go.

  • disallow nodes in purely NATed networks to send mails using an MTA (tcp/port 25). That blocking will only happen for nodes in a home or when the nodes don’t have access to a direct public link.
  • nodes that live in homes will have VMs (workloads) that only have access to the Internet and will be unable to snoop around in the home network. (there are already some filters in place, but the restrictions will be complete. Packets from workloads can only be forwarded to the router.
  • also, proactively we’re going to rate-limit DNS queries for VMs to 15/sec to alleviate popular DNS amplification and reflector attacks

The thing is: this needs to be fast, if we can’t handle it for 3.10, we’ll send out a patch release on 3.10 or a 3.10.1

For this to pass, we would need at least 25 votes and a positive vote of at least 50% before 06 July 2023. Anyone with a farm may vote. Please register your vote on the dashboard under ‘DAO’


I was under the impression vms were already prevented from snooping around a home network. This definitely needs to be implemented asap.

Could somebody explain the downside to this? or why a farmer would vote against

Well actually, I don’t see a Farmer vote against it, unless he’s a die hard freedom fighter where anything needs to be allowed.
But if a user wants to send spam, he will need to rent a public IP from a Farmer that has available public IPs. Most of the time sending mails would need to be done from public IPs. A farmer or his ISP can then block the IP, whereas an ISP for a home link would just block the line.

Ratelimiting DNS queries is IMHO just a sane and courteous thing to do. It makes that dns attackers just steer away from using the grid as medium because only a few 10s queries per second are allowed as opposed to 1000s per second

1 Like