Firewall: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
(Add Mosh ports to general use)
 
(11 intermediate revisions by 4 users not shown)
Line 9: Line 9:
== General Use ==
== General Use ==


* Port 22 (SSH), plus additional ports on taurine
* Port 22 (SSH), plus additional SSH ports on taurine (21, 53, 80, 81, 443, 8000, 8080)
* Ports 60000–61000 (Mosh)
* Ports 60000–61000 (Mosh)
* Ports 28000-28500 (TCP/UDP general use)
* Ports 28000-28500 (TCP/UDP general use)
Line 15: Line 15:
== Webserver ==
== Webserver ==


caffeine has ports 80 and 443 open
* caffeine has ports 22 (SSH), 80 (HTTP), 443 (HTTPS), 11068 (HTTP for rridge) and UDP 60000–61000 (Mosh)
* wiki is now a CNAME for caffeine
* git has ports 80 (HTTP) and 443 (HTTPS)
* nextcloud has ports 80 (HTTP) and 443 (HTTPS)


== Mail ==
== Mail ==


Mail has ports 80, 443, 143, 993, 25, 587 open
* mail has ports 25 (SMTP), 80 (HTTP), 143 (IMAP), 443 (HTTPS), 587 (MAIL SUBMISSION), 993 (IMAPS)
* mailman has ports 80 (HTTP) and 443 (HTTPS)


== Mirror ==
== Mirror ==


Mirror has 21 (ftp), 80, 443, 873 (rsync) open.
* mirror has ports 21 (FTP), 22 (SSH), 80 (HTTP), 443 (HTTPS), 873 (RSYNC)

== IPv6 Test ==

* ds.test-ipv6, mtu1280.test-ipv6 have ports 80 (HTTP), 443 (HTTPS)
* v6ns1.test-ipv6 has port 53 (DNS)

== Cloud ==
* cloud.csclub.uwaterloo.ca (and csclub.cloud, and all of their subdomains): 80 (HTTP) and 443 (HTTPS)
* riboflavin (and possibly other cloud machines) have port 22 exempted from the campus firewall, but they are currently blocked via iptables on the hosts

== BigBlueButton ==

* bbb has TCP ports 80 (HTTP) and 443 (HTTPS)
* bbb has UDP ports 16384 - 32768 (for WebRTC)

== drone.io (ci) ==

* This has now moved to Kubernetes (same IP address as cloud.csclub.uwaterloo.ca).

== progcom ==
* progcom has TCP ports 80 (HTTP) and 443 (HTTPS)

== Other Web Services ==

rt, munin, prometheus

* 80 (HTTP) and 443 (HTTPS)


= Adding Exceptions =
= Adding Exceptions =


Create a ticket on the [https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/413/create/805 UWaterloo Help Portal]. Use the syscom account unless you already have an account and IST knows it.
The CSC systems committee can request additional exceptions by emailing request@uwaterloo.ca

Latest revision as of 16:25, 31 May 2023

Our networks are behind the University's Campus firewall. This means that traffic to us is automatically dropped at the edge of campus unless we have exceptions added for it.

Current Exceptions

Office Terminals

No exceptions in the campus firewall.

General Use

  • Port 22 (SSH), plus additional SSH ports on taurine (21, 53, 80, 81, 443, 8000, 8080)
  • Ports 60000–61000 (Mosh)
  • Ports 28000-28500 (TCP/UDP general use)

Webserver

  • caffeine has ports 22 (SSH), 80 (HTTP), 443 (HTTPS), 11068 (HTTP for rridge) and UDP 60000–61000 (Mosh)
  • wiki is now a CNAME for caffeine
  • git has ports 80 (HTTP) and 443 (HTTPS)
  • nextcloud has ports 80 (HTTP) and 443 (HTTPS)

Mail

  • mail has ports 25 (SMTP), 80 (HTTP), 143 (IMAP), 443 (HTTPS), 587 (MAIL SUBMISSION), 993 (IMAPS)
  • mailman has ports 80 (HTTP) and 443 (HTTPS)

Mirror

  • mirror has ports 21 (FTP), 22 (SSH), 80 (HTTP), 443 (HTTPS), 873 (RSYNC)

IPv6 Test

  • ds.test-ipv6, mtu1280.test-ipv6 have ports 80 (HTTP), 443 (HTTPS)
  • v6ns1.test-ipv6 has port 53 (DNS)

Cloud

  • cloud.csclub.uwaterloo.ca (and csclub.cloud, and all of their subdomains): 80 (HTTP) and 443 (HTTPS)
  • riboflavin (and possibly other cloud machines) have port 22 exempted from the campus firewall, but they are currently blocked via iptables on the hosts

BigBlueButton

  • bbb has TCP ports 80 (HTTP) and 443 (HTTPS)
  • bbb has UDP ports 16384 - 32768 (for WebRTC)

drone.io (ci)

  • This has now moved to Kubernetes (same IP address as cloud.csclub.uwaterloo.ca).

progcom

  • progcom has TCP ports 80 (HTTP) and 443 (HTTPS)

Other Web Services

rt, munin, prometheus

  • 80 (HTTP) and 443 (HTTPS)

Adding Exceptions

Create a ticket on the UWaterloo Help Portal. Use the syscom account unless you already have an account and IST knows it.