IF you are following this guide, or need to listen on
0.0.0.0 with ElasticSearch for some other reason:
USE A FIREWALL FOR PORTS 9200 AND 9300
Port 9200 is the client listening port, and 9300 is server-to-server communications.
If a firewall is not used, any person can connect to your database and retrieve all toots stored inside, since ElasticSearch uses no authentication mechanism in this guide (I do not know if Mastodon supports it; ES does, but not by default). The end result is that anyone can dump the toots stored on your server in ElasticSearch, including remote ones.
A publicly open ElasticSearch server is a menace to anyone who federates with you.
If ElasticSearch runs on the same server as rails, listen on
127.0.0.1. There is no need to listen on
0.0.0.0 for this configuration.
You also don't need a firewall if it only listens on a local IP (one that begins with
192.168., one that begins with
10., or one that is between
172.31.255.255); however, I would personally recommend it.
When configuring a firewall, ensure that port 9200 and 9300 are only accessible from your web host/hosts. Test it and be sure.
Guides for configuring a firewall
There are many, but here's some for the most common OS'es/distros: