From ae91163168a4342fa4201e0a5dd566fbeda21bc7 Mon Sep 17 00:00:00 2001
From: davide3011 <davide.grilli@outlook.com>
Date: Mon, 16 Feb 2026 09:23:14 +0100
Subject: [PATCH] harden: restrict RPC/ZMQ exposure and remove unsafe RPC
 override

- Bind RPC to localhost only (127.0.0.1:2332)
- Bind ZMQ 28332/28334/28335 to localhost for host-only debugging
- Remove -rpcallowip=0.0.0.0/0 from palladiumd
- Remove redundant -rpcbind flag from compose (handled in palladium.conf)
---
 docker-compose.yml | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 718e59c..5d2774d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,11 +7,11 @@ services:
     container_name: palladium-node
     restart: unless-stopped
     ports:
-      - "0.0.0.0:2332:2332"  # RPC port mainnet (accessible from network)
+      - "127.0.0.1:2332:2332"  # RPC port mainnet (host-local only)
       - "0.0.0.0:2333:2333"  # P2P port mainnet (accessible from network)
-      - "0.0.0.0:28332:28332"  # ZMQ hashblock (accessible from network)
-      - "0.0.0.0:28334:28334"  # ZMQ rawblock (accessible from network)
-      - "0.0.0.0:28335:28335"  # ZMQ rawtx (accessible from network)
+      - "127.0.0.1:28332:28332"  # ZMQ hashblock (host-local debug only)
+      - "127.0.0.1:28334:28334"  # ZMQ rawblock (host-local debug only)
+      - "127.0.0.1:28335:28335"  # ZMQ rawtx (host-local debug only)
       # For testnet, expose: 12332 (RPC) and 12333 (P2P)
 
     volumes:
@@ -22,8 +22,6 @@ services:
       palladiumd
       -conf=/root/.palladium/palladium.conf
       -datadir=/root/.palladium
-      -rpcbind=0.0.0.0
-      -rpcallowip=0.0.0.0/0
       -daemon=0
       -printtoconsole=1
 
@@ -96,4 +94,4 @@ services:
 
     volumes:
       - ./.palladium/palladium.conf:/palladium-config/palladium.conf:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
\ No newline at end of file
+      - /var/run/docker.sock:/var/run/docker.sock:ro