Manual

Welcome to Live Stream Fleet Solution Manual

Securing Your Node with Allow-Lists

To enhance security in your deployment of Live Stream Fleet Gateway (lsfgateway), you can define strict allow-lists for input and output connections. These allow-lists act as a policy control layer to restrict which IP addresses and ports can be used when a node is remotely configured.

Why Use Allow-Lists?

While remote configuration via the secure backend is already protected using authentication and encryption, you may still want to limit which connections the node is permitted to establish. Allow-lists help you:

  • Prevent misconfiguration that could expose internal networks.
  • 🛡️ Block malicious or accidental attempts to redirect traffic to unsafe addresses or ports.
  • Ensure only intended, pre-approved endpoints can be connected to by the node.

Allow-lists are especially important when:

  • You deploy nodes on networks with sensitive internal systems.
  • You give access to configuration tools to multiple team members.
  • You want to enforce specific routing or firewall compliance rules.

How to Set Up Allow-Lists

You can set the allow-lists directly on the command line when starting lsfgateway using the command line.






Examples:

  • --allow-input-ip 192.168.1.10 — allow a single IP
  • --allow-input-ip 192.168.1.0/24 — allow a subnet in CIDR notation
  • --allow-input-ip 192.168.1.10-192.168.20 — allow a range of addresses
  • --allow-output-port 10000 — allow a single port
  • --allow-output-port 10000-10100 — allow a port range

What Happens If You Don’t Set Any Allow-List?

If you don’t provide any allow-list, lsfgateway will permit all IPs and ports to be used in the remote configuration. This is fine for evaluation or controlled environments but not recommended in production deployments.

Once allow-lists are set, any configuration attempt that references an IP or port outside these rules will be rejected.

Best Practices

  • Use narrow IP ranges wherever possible.
  • Include only the specific ports your application needs.
  • Regularly audit and update allow-lists as your network topology changes.
  • Use allow-lists alongside your internal firewall rules for defence-in-depth.




./lsfgateway \

  --account_id <ACCOUNT_ID> \

  --node_id <NODE_ID> \

  --secret_key <SECRET_KEY> \

  --allow-input-ip 192.168.1.0/24 \

  --allow-input-port 5000-6000 \

  --allow-output-ip 10.10.0.0/16 \

  --allow-output-port 8000

© 2025 SOFTSIDE TECH PTY. LTD.