tl;dr: I think B is correct, meaning those are the ports that should be diallable from the outside world.
(all below TCP)
4001 is for the go-ipfs swarm endpoint.
9096 is for the default ipfs-cluster peer swarm endpoint. ipfs-cluster-follow with remote configurations may however be given a different port, even a UDP/quic port, depending on what the fetched config indicates.
8080 is for the go-ipfs gateway endpoint (should be listening on localhost only, and can be disabled if not used).
ICMP ? No idea. But ipfs and cluster do autodiscovery using mDNS LAN multicast.
Additionally, 5001 is the ipfs daemon API port, which listens on localhost.
So, in your firewall, dialable from the outside should only be TCP 4001 and 9096 I think.
These iptables rules rules are pretty secure and seem to work:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m multiport --dports 4001,9096 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 9096 -m state --state NEW -j ACCEPT
-A INPUT -j LOG --log-prefix "DROPPED: "
COMMIT
They can be copied and pasted into a file and applied as root:
iptables-restore </root/firewall.rules
Explanation:
Drop everything by default for the INPUT and FORWARD chains.
Allow localhost traffic via the loopback device
Allow traffic already established or related.
Allow port 22 (SSH) so you don’t lock yourself out.
Alow TCP 4001 and 9096 for IPFS.
Allow UDP 9096. (A couple packets came through when I enabled this.)
LOG all the other packets to see if anything important got dropped.
Once satisfied, delete rule 6 so you don’t fill up your filesystem: