Firewall and network security

Helpdesk.cs.uu.nl

Contact, news and status
Accounts and passwords
Remote access
E-mail
Filesystems
Subversion
Desktops
Webspace
Wireless
Printing
Usenet
Security
Software
Servers
Time synchronization
Telephony
Innovations

Navigate this page

Related pages
Computer science uses the centrally managed UU firewall, which is a Cisco firewall service module. This firewall supports statefull filtering and packet inspection.

The big change is that our policy on outgoing traffic changed from default open (with some exceptions) to default closed (with a list of allowed ports). The list of allowed outgoing ports has been gathered from to-be standard university policy, a list of ports related to collaboration, reports of usage from our old filtering router and requests which have a connection with research and education from users.

The list: 

tcp ports:
 port-object eq domain
 port-object eq ftp
 port-object eq https
 port-object eq ftp-data
 port-object eq 43          (whois)
 port-object eq 70          (gopher)
 port-object eq www
 port-object eq nntp
 port-object eq pop3
 port-object eq ssh
 port-object eq telnet
 port-object eq imap4
 port-object eq ldap
 port-object eq ldaps
 port-object eq 106
 port-object eq 407         (timbuktu remote access)
 port-object eq 548         (apple file sharing)
 port-object eq 587         (message submission protocol)
 port-object eq 873         (rsync)
 port-object eq 989
 port-object eq 990
 port-object eq 992
 port-object eq 993
 port-object eq 995
 port-object eq citrix-ica
 port-object eq 3389
 port-object eq 8080
 port-object eq 1863        (msn)
 port-object eq 2401        (cvspserver)
 port-object eq 3690        (subversion)
 port-object eq 4000        (icq)
 port-object eq 4470        (Surfnet certificate authority)
 port-object eq 5190        (icq / aim)
 port-object eq 5222        (jabber)
 port-object eq 5223        (jabber-ssl)
 port-object eq 5999        (cvsup)
 port-object eq 6667        (irc)
 port-object eq 7000        (apple file sharing)
 port-object eq 7684        (http streams)
 port-object eq 7688        (http streams)
 port-object eq 8000        (http streams)
 port-object eq 6028        (http streams)
 port-object eq 6030        (http streams)
 port-object eq 7028        (http streams)
 port-object eq 7080        (http streams)
 port-object eq 8015        (http streams)
 port-object eq 8022        (http streams)
 port-object eq 8030        (http streams)
 port-object eq 8054        (http streams)
 port-object eq 8500        (http streams)
 port-object eq 8810        (http streams)
 port-object eq 11371       (pgp key protocol)

UDP ports:
 port-object eq domain
 port-object eq ntp
 port-object eq 5060        (session initiation protocol)
 port-object eq 12035       (second life)
 port-object eq 12036       (second life)
 port-object range 13000 13050       (second life)
SIP-traffic passes an 'inspector' in the firewall which will allow sessions set up via SIP.

Outgoing e-mail via other providers can be sent (depending on the cooperation of those other providers) via port 587/tcp, message submission protocol.

Related pages

IP version 6
Security
Statistics gathering and monitoring
Page source last updated: Wed Apr 14 17:11:40 2010
$Id: firewall.help,v 1.5 2010/04/14 15:11:35 koos Exp $

Helpdesk website

Start / How to reach us
Overview of all pages
Search this site using google

Recent announcements

Recently added pages

Recently changed pages

Most requested pages

VPN access
Wireless network access
Software
Printing
E-mail
Accounts and passwords

Icons

External link
Restricted link, intranet

Powered by administrivia 0.1