Go to the U of M home page
School of Physics & Astronomy
Physics & Astronomy Wiki

computing:network:firewall_and_proxies

Physics firewall and proxies

Physics runs a firewall configuration which blocks all unwanted incoming connections from both the university and the internet in general, and also controls traffic between the internal subnets.

It is possible to set firewall exceptions for specific systems, where research needs require it. If you have such a need, talk to us about it, and we'll help figure out a solution.

External connections

  • Port 22/tcp (ssh) is the only port which is open to all static internal hosts from everywhere on the internet. ssh is not open to dynamic ip addresses.

Internal connections

  • Windows file sharing is restricted between several internal subnets
  • All internal subnets are permitted access to the following services
    • Physics DNS servers
    • Software license servers (eg, for IDL, Mathematica)
    • Main Physics “windows” (samba) file server and print queues
    • Department printers using port 9100 (“jetdirect”)

SSH Tunnelling

If you need to connect to a system inside Tate Lab from outside, most simple applications can be tunnelled using ssh. For example, VNC (a remote desktop application) can be tunnelled by following this guide: Tunneling VNC over SSH with PuTTY. If you need assistance with configuring SSH to support your application, contact us for help.

SSH Tunnelling Examples

Unix/Linux

To make localhost:1234 connect to somehost.physics.umn.edu on port 5510

$ ssh -L1234:somehost.physics.umn.edu:5510 myusername@physics.umn.edu 

Windows

The guide How to Tunnel VNC over SSH gives an example of using PuTTY to forward VNC over SSH.

Proxies

Some applications do not behave properly when used behind a firewall. In this case a proxy can help. Please refer to the following list of workarounds:

FTP Proxy

Physics users may have trouble transferring data to or from some FTP servers, if those ftp servers are also behind a firewall. We provide an ftp proxy server to work around this problem. To use it:

  • Use your ftp program to connect to ftp-proxy.spa.umn.edu
  • At the Name prompt, enter username@hostname where hostname is the remote site you want to connect to, and username is the username at the remote site.
  • At the Password prompt, enter your remote site password.

Command-line example:

$ ftp ftp-proxy.spa.umn.edu
Connected to dunnotar.spa.umn.edu.
220 FTP proxy (v0.13.5) ready
Name (ftp-proxy.spa.umn.edu:root): anonymous@some-ftp.site.edu
Password:
230 Login successful.
ftp>

Some ftp servers may not behave gracefully with the basic ftp command line tool. If that fails, you might try ncftp which is an improved client. For example:

ncftp -u anonymous@archive.stsci.edu ftp-proxy.spa.umn.edu

or for the non-anonymous version:

ncftp -u myusername@archive.stsci.edu -p mypassword ftp-proxy.spa.umn.edu

To connect to an ftp site using a web browser, you would use a URL like this:

ftp://user,targethost:passwd@ftp-proxy.spa.umn.edu/

for example to connect to the HST archive at stsci.edu:

ftp://anonymous,stdatu.stsci.edu:anonymous@ftp-proxy.spa.umn.edu/

computing/network/firewall_and_proxies.txt · Last modified: 2015/05/20 16:28 by allan