====== Physics firewall and proxies ======
Physics runs a firewall configuration which blocks all unwanted incoming connections from both the university and the internet in general, and also controls traffic between the internal subnets.

It is possible to set firewall exceptions for specific systems, where research needs require it. If you have such a need, talk to us about it, and we'll help figure out a solution.

===== External connections =====

  * Port 22/tcp (ssh) is the only port which is open to all static internal hosts from University of Minnesota VPN and campus networks. ssh is //not// open to dynamic ip addresses.
  * spa-ssh-01.spa.umn.edu is the only host that is open to the world and DUO login is required unless an SSH key is used.

===== Internal connections =====

  * Windows file sharing is restricted between several internal subnets
  * All internal subnets are permitted access to the following services
    * Physics DNS servers
    * Software license servers (eg, for IDL, Mathematica)
    * Main Physics "windows" (samba) file server and print queues
    * Department printers using port 9100 ("jetdirect")

===== SSH Tunnelling =====
If you need to connect to a system inside Tate Lab from outside, most simple applications can be tunnelled using [[:computing:software:ssh|ssh]].
For example, VNC (a remote desktop application) can be tunnelled by following this guide: [[http://home.highertech.net/~john/Putty-Tunnel/putty-tunnel.html|Tunneling VNC over SSH with PuTTY]].  If you need assistance with configuring SSH to support your application, contact us for help.

==== SSH Tunnelling Examples ====
=== Unix/Linux ===
To make localhost:1234 connect to somehost.physics.umn.edu on port 5510

<xterm>
$ ssh -L1234:somehost.physics.umn.edu:5510 myusername@physics.umn.edu 
</xterm>
=== Windows ===
The guide [[http://helpdeskgeek.com/how-to/tunnel-vnc-over-ssh/|How to Tunnel VNC over SSH]] gives an example of using PuTTY to forward VNC over SSH.

===== Proxies =====
Some applications do not behave properly when used behind a firewall. In this case a proxy can help. Please refer to the following list of workarounds:

==== FTP Proxy ====
Physics users may have trouble transferring data to or from some FTP servers, if those ftp servers are also behind a firewall. We provide an ftp proxy server to work around this problem. To use it:
  * Use your ftp program to connect to ''ftp-proxy.spa.umn.edu''
  * At the Name prompt, enter ''username@hostname'' where ''hostname'' is the remote site you want to connect to, and ''username'' is the username at the remote site.
  * At the Password prompt, enter your remote site password.

Command-line example:
<xterm>
$ ftp ftp-proxy.spa.umn.edu
Connected to dunnotar.spa.umn.edu.
220 FTP proxy (v0.13.5) ready
Name (ftp-proxy.spa.umn.edu:root): anonymous@some-ftp.site.edu
Password:
230 Login successful.
ftp>
</xterm>

Some ftp servers may not behave gracefully with the basic ''ftp'' command line tool. If that fails, you might try ''ncftp'' which is an improved client. For example:
  ncftp -u anonymous@archive.stsci.edu ftp-proxy.spa.umn.edu
or for the non-anonymous version:
  ncftp -u myusername@archive.stsci.edu -p mypassword ftp-proxy.spa.umn.edu

To connect to an ftp site using a web browser, you would use a URL like this:

''ftp://user,targethost:passwd@ftp-proxy.spa.umn.edu/''

for example to connect to the HST archive at stsci.edu:

''ftp://anonymous,stdatu.stsci.edu:anonymous@ftp-proxy.spa.umn.edu/''