We are utilizing Access Control Lists on our router to block traffic in an attempt to help secure the computing environment. We have worked to strike a balance between security and usability, with an emphasis on meeting the needs of the department. For the vast majority of users, this filtering will be transparent. However, there are some issues that you may want to be aware of:

• Restricted Ports - Access to many services running on well-known ports are restricted to the known servers in the department. For example, if you bring up a web server running on port 80 it will not be accessible from outside the building unless you register it with the system staff. This restriction generally applies to all of the restricted ports in the range 1-1024. Since it requires the equivalent of root access to bring up a service on these ports, this is not an issue for most users. If you need external access to such a service, just ask to have your machine/port added to the access control list. With a few exceptions, access to the higher ports (>1024) is not being blocked. Some of the higher ports that are being blocked include those assigned to commonly used services that we do not want to be visible (such as nfs/2049 and Microsoft SQL/1433) and ports commonly used by web servers (8000, 8008, 8009, 8080, and 8888)

• Ftp - You are urged to use ssh/scp/sftp for secure file transfer. We only allow anonymous ftp to the department ftp server (ftp.cs.indiana.edu). All other ftp traffic is blocked by the router.

• Rsh - We are blocking incoming access to the rsh/rlogin services so you will not be able to rsh or rlogin to any department machine from outside. However, due to the way rsh/rlogin work, you will also not be able to use rsh or rlogin to connect to any machine outside the department. This is a function of the fact that rsh/rlogin must connect from restricted (1-1024) ports that are being blocked. You will have to use ssh instead.

• NFS Automounter - We are running the automounter on most of our unix machines, which allows you to access random nfs servers by using the path /nfs/hostname. However, due to the way the automounter and nfs function, you will not be able to mount filesystems from nfs servers outside the building. If you need access to such a server, just let us know the server IP address and we can add the appropriate lines to the access control list so this works.

• Ssh1/Scp1 - The default version of the Secure Shell client (ssh/scp) is version 2 which should have no bad interactions with the access control lists. However the older version 1 clients (ssh1/scp1) use restricted (<1024) ports by default so they will not work when making connections outside the building. To get around this, you can use the -P flag to ssh1 which says to use a non privileged port. The only downside of doing this is that it will prevent you from using rhosts or rsarhosts authentications.

• Printing - Standard unix lpr/lpd printing uses port numbers <1024 when talking to remote lpd servers. This means that you will not be able to use lpr/lpd to print to a printer outside the building. If doing this is required, let us know and we can add the necessary rules to the access control lists to permit this to specific remote lpd servers.

  Likewise, if you are trying to use lpr/lpd printing to print to a CS printer from outside CS, this will be blocked. If you need to print to a CS printer from a system outside of the CS network (like from your laptop on the IU wireless network or from your home system) then please see the associated FAQs for printing from Windows, Mac OS, or Linux.

[Return to the FAQ index]