Firewall
Depending on source and target of network traffic different firewalls need to be passed. This document is meant to help with understanding where which firewall is relevant. There are basically four variants how network traffic can be limited.
Firewallvariants:
- Only the first packet of a new connection is checked. If this packet is allowed all subsequent traffic which is related to this connection will be allowed regardless of direction.
- Every packet is checked and either allowed or denied.
- A connection will be blocked when the number of connections or data packets between two network addresses exceeds certain thresholds. The block will be lifted automatically after some time in most cases. Should there be indications of a security issue the block may persist indefinitely or require further enquiry to lift. The measurements for these blocks are collected at the link between the MWN and the rest of the internet. They are managed by the LRZ.
- Private network addresses can not be reached from outside of their local network. Depending on the network some private nets may be routed in a larger area or may even be able to reach the internet through a NAT-gateway. Even in this case the private addresses are still not reachable from outside. A port forwarding on the NAT-gateway may lift this limitation for specific ports.
APR:
Variant 1:
A workstation in the student pools is configured quite openly where outbound traffic is concerned. If you want to use VMs/Containers with your own network config please read the relevant documentation on which networks to use.
Inbound traffic on the other hand is limited to the MWN. Should you have a short-term need for externaly initiated connections you could use for example a ssh tunnel through our remote machines. The LRZ VPN can help here too.
Variant 2:
Outbound only Port 631(Cups/Printer) is blocked.
Services:
Variant 1:
Databases
This service is only reachable from inside the MWN.
Aktiv Webpages (cgi, php, etc)
This service is only reachable from inside the MWN but is allowed to create outbound connections without restrictions.
IT on WiFi
Eduroam WiFi
On Eduroam you get a private IPv4 address routed in the MWN and a globally routed IPv6 address.
Variant 1:
The network traffic with the global IPv6 address has the normal LRZ imposed restrictions to the rest of the internet.
Variant 4:
The network traffic with the private IPv4 address has the limitations of variant 4. The traffic is freely routed inside of the MWN and passes to the outside through the LRZ Secomat/NAT-Gateway. Portforwarding is not intended.
Bayern WiFi
Please inform yourselves here concerning network traffic limitations. In addition to the network firewall a cyber nanny is also active on this network.
Variant 4:
Bayern WiFi only uses private IPv4 addresses. Therefore the limitations of variant 4 apply.
CIP WiFi
Variant 1:
You can choose one of three firewall configurations for your device upon authentication.
Variant 2:
Port 111(sunrpc), 2049(NFS), 25(smtp) are blocked.
IT on Wallports/Switch
CIP
Please see the CIP Wifi headpoint for this.
LRZ
This is analogous to the Eduraom headpoint.
LRZ VPN
The LRZ offers a VPN service which treats your device analogously to Eduroam.