Halls of Residence Network – Firewall Access Restrictions
Introduction
The Halls of Residence network has a firewall between it the external Internet and there is also another firewall to go though to gain access to the main university campus network. This halls firewall protects the halls of residence network from the Internet and its rules work in conjunction with the other main campus firewalls rules to manage what traffic can flow between the Halls network and the university network.
The aim of this web page is to provide students with some information about what traffic is allowed though the firewalls and what is restricted. Please note the last "Reviewed' date at the bottom of the page and look out for future updates.
Regulations
When using any university network connection you are subject to university wide regulations and of course standard government legislation. iSolutions (iSolutions also have to pass on the conditions of use as required by UKERNA and LeNSE, who provide the university's external Internet and educational network connection. In addition, individual departments like iSolutionsmay apply further regulations where necessary to protect our networks from hackers, viruses and denial of service attacks. Please see the related links pages for more information on the various regulations.
New policies
Managed default allow outgoing
Since January 2007 the firewall policy has been changed to allow all outgoing services and then manage these services using an intelligent scanning and filtering system that will detect and/or block dangerous, unwanted, or illegal traffic. In addition to this system we can also manually block certain bad ports or internal and external sources or destinations that we know are a threat or against university regulations. We believe this automatically managed default allow outgoing policy has greatly improved service for students as there are a large number of services and connections that will now work from within Halls. In turn it has also greatly reduced the number of requests from students asking for firewall rules to be added to allow new things to work.
Peer to Peer file sharing blocked
In the first few weeks of this new policy another change had to be made to increase the restrictions on usage of peer to peer file sharing programs on the Halls of residence network. These programs can automatically attempt to open hundreds of connections per second and when used by hundreds people at the same time was massively degrading the Internet response times for all users on the halls network. In addition these programs clearly break copyright laws so the university cannot allow their usage on its network regardless of the problems they cause. So we now monitor and block all peer to peer file sharing traffic through the firewall.
Excessive numbers of new connections per second blocked
Computers that try to open large (excessive) numbers of new connections per second will be detected by our firewall if they reach a certain limit and new connections from that computer will blocked automatically for a short amount of time. This allows us to protect from Denial of Service attacks from internal sources, also limits the affects that high traffic port scanning viruses or worms can have on the firewalls, it also restricts the use of any internet file sharing programs that are making excessive amounts of connections. If your computer virus infected it could be initiating large numbers of connections to the Internet without your knowledge, if so you may notice intermittent periods where you cannot access Internet pages, therefore you should virus scan you computer regularly.
Allowed services between halls, the university and the internet
If a particular TCP/UDP service or internet location (Host machine) is not specifically blocked then outgoing connections to it should be possible and thus incoming replies back from the same host will be allowed back in if part of the same connection. However, if a host machine out on the Internet tries to initiate a connection to a halls machine then it will only work if it is one of the specific "Services" (TCP/UDP ports) listed as "Allowed".
The sections below should list what standard incoming services are allowed though and any types of services that might be blocked or won't work through our firewall setup.
Note, that if this page has not been updated recently their may be some services that have recently been allowed or blocked that are not on the list.
From Internet to Halls network
The firewall protecting the Halls network from the Internet is set to "Default Deny All" incoming connections initiated from the Internet (Note, separate rules apply to connections from the main University of Southampton network). The Halls firewall is also configured to use Network Address Translation (NAT) to translate a small number of available "Public" Internet IP addresses (152.78.x.x) to the large number of halls network "Private" IP addresses (10.240.x.x) in use. Using NAT means that outgoing connections from groups of internal private halls IP addresses get translated into individual "Public" IP addresses on their way out. These translations are remembered for each connection by the firewall so that replies back to that IP address can be translated back to the correct internal IP address. However it does mean that any one of the "Public" IP address can relate to many different internal private IP addresses, making it impossible for hosts on the Internet to initiate connections to a particular internal halls IP address. "Port forwarding" is a solution to this issue, but can only be directed at one IP address for each type of service (TCP/UDP port), so is not suitable given the number of users in halls that may want access to a particular service. Some incoming services could be opened to all users in halls, but again with the way that NAT works the firewall will not know which internal IP address to forward incoming connections too (so connections are refused).
Therefore as a result of all this, all incoming services / ports are blocked and connections cannot be initiated from the Internet to any halls network IP address. Note that this policy does not apply to connections from the university network as we can "route" these connections through to halls without the need to use NAT.
Replies from the Internet to connections initiated from within halls will be allowed through by the firewall as long as they are using the same ports used by the halls host that started the connection.
We are developing a new network IP address structure so that we can remove the NAT system at some point but no dates have been confirmed for its implementation.
From Halls network to the Internet
When connecting out to the Internet nearly all outgoing TCP and UDP ports should be allowed (open) because the rules are default allow outbound. However there are some outgoing services that are blocked, like all file sharing programs ports / protocols, and other known "bad ports" used by viruses and hackers. Also outbound DNS queries directed at DNS servers on the Internet will not work, and outbound connections to SMTP (email) servers on the internet are blocked too (Use smtp.soton.ac.uk instead).
Please note that most computer programs that connect to the internet should work with just the outgoing TCP/UDP ports open (all ports required should be open). If a connection is initiated from halls then the returning incoming responses to that connection from that particular Internet host should be allowed back in by the firewall on those particular TCP/UDP ports. But with the firewall using NAT and being default deny inbound, connections initiated from in Internet will not get through, so some programs may not be fully functional (This cannot be helped).
Network Address Translation (NAT) means that all connections going out from the internal halls "Private" IP addresses will be translated into one of the few real "Public" IP addresses, so an external host on the Internet will see the connection coming from a Public IP address (152.78.x.x) and not the private (10.240.x.x) IP address on your computer. The firewall will remember this IP address translation for the duration of the connection so that any returning replies from the external host can be forwarded back to your particular private IP address. Note this only works when the
The following is a list of some of the common services that should work from Halls to the Internet:
| Service Name | Technical Definition | Description |
|---|---|---|
| HTTP and HTTPS | TCP 80,8080,443 | Hyper text transfer protocol - used for general Internet Web Browsing. |
| SSH and Telnet | TCP 22,23 | Remote shell access to computers |
| FTP | TCP 21+ | File transfer protocol - used to connect to remote servers to download (or upload) files |
| ICMP | ICMP | Used for "ping" and "traceroute" |
| PPTP | Various & GRE | Used by VPN servers |
| IMAP (and SIMAP) POP-3 (and sPOP) |
TCP 143 (TCP 993) TCP 110 (995) |
Used for reading email (Note, SMTP outbound not allowed unless coming from smtp.soton.ac.uk) |
| Remote Desktop, VNC, pcANYWhere |
TCP 3389 TCP 5900 Various others |
Used for remote login of computers over the network, Ms Remote desktop, VNC, and PCanyWhere. |
| Instant Messenger Programs | Various Ports | MSN Messenger Yahoo Messenger Sometimes the Video and Voice facilities in these programs don't work if MS or Yahoo change the way they work, but currently we not aware of any problems. |
| IRC | TCP 6665-6669,7000 | Internet Relay Chat - The original chat software |
| NetMeeting, PC-Telephone |
Various | Used for video and audio conferencing - you may not receive calls but you should be able to make them. |
| NTP, Time | TCP 123 UDP 123 |
Network time protocol - Keeps your computer clock correct |
| CVS | TCP 2401 | Concurrent Versioning System - used by software developers for multiple file version management. |
| AOL | TCP 5190 | If you have an AOL account you can connect to the AOL service from within halls if you wish. |
| Real Player | Various | Used for audio and video streams. |
| X box Live | Various | Ports required to play Xbox Live online should be open. |
There are many other Internet services that will also work from the halls network and are not listed here.
Many online games should work too but we cannot guarantee that everything will work because of the use of Network Address Translation (NAT) in the firewall and the blocking of all incoming connections initiated from the Internet. Connections to games servers should work as long as they do not try to make separate connections back.
If there are any Internet that do not work from in halls then you can contact iSolutions Service Line and ask us whether we believe they should be working or not (you will need to tell us what TCP or UDP ports are required by the program).
From Halls to the University network
Remembering that there are two firewalls between the halls network and the university network, the Halls firewall policy now allows all types of connections to the Soton campus network. But then the university network firewall has rules to restrict and allow what can come in from the halls network. The campus firewall is also default deny inbound but already has many rules in there to allow "external IP addresses" to access certain publicly accessible services and machines on certain TCP/UDP ports. The Halls network 10.240.x.x IP addresses are also treated as "external IP addresses" by the campus firewall, so any services and machines that are accessible or blocked from the internet are also accessible or blocked from halls too.
So university servers that are already accessible from the internet should also be accessible from halls, for example, HTTP(s) servers, FTP servers, DNS servers, IMAP servers and POP Email servers, SMTP servers, NTP servers, NNTP servers, and some FTP or SSH servers. Also Soton Multicast sites, Library online resources, and hundreds of other university servers and services that are publicly accessible from the internet should also be from halls. The ECS network should also be accessible (in the same way that it is from the Internet) subject to ECS's firewall rules.
In addition to all the publicly available services, the Halls of Residence network is allowed access through the firewall to most IP addresses on the university network using the TCP ports required for HTTP, HTTPS, DNS, FTP, SSH, IMAP, IMAPS, TIME and NTP.
Certain university network IP addresses, bad TCP/UDP ports and services are blocked for security reasons.
Network Address Translation (NAT) does not apply (not needed) for connections between Halls and the main university network, so connections can be made to and from the private 10.240.x.x IP addresses in halls successfully.
From the University network to Halls
Only the following services are available when attempting to connection from the university network to a machine on the Halls Network, all other ports are blocked by the default deny policy:
| Service Name | Port Open | Description |
|---|---|---|
| FTP | TCP 21 | File Transfer Protocol - used to connect to remote servers to download (or upload) files |
| SSH | TCP 22 | Secure Terminal Services - Allows you to login to remote machines using a secure shell. |
| MS Terminal Service | TCP 3889 | Remote Desktop Connection - Connect and login to your Windows PC remotely. |
| VNC | TCP 5900 | Remote Desktop Connection - VNC version |
| Open Windows | TCP 2000 | For using OpenWindows (Graphical User Interface for SUN systems) |
| SubVersion | TCP 3690 | Software development document version control programs. |
| GRE | Protocol 47 | Generic Routing Encapsulation - VPN Tunnelling. Will allow VPN connections though either way. |
From halls room to halls room
Connections between computers within the Halls of Residence network will not pass though the firewall and so will not be affected by the rules above. However there are sets of rules configured on the internal halls network switches that can be turned on or off to block (protect) each halls network point from other computers on the halls network. This service is known as the Halls of Residence Network Connections Protection Service (See related links) and acts like a mini personal firewall for each rooms network point to protect it from infected or other computers on the hall network.
If the Protection Service blocking is enabled for your particular halls network point then ALL incoming traffic from any other computer on the halls network to your network point will blocked (Note this does not include traffic from the Internet or university campus). This protection or rule can be turned off or back on easily by the occupant of the room just by following the instructions on the Halls of Residence Network Connections Protection Service page.
Without this protection turned on traffic between halls room to halls room is unrestricted.
Note that Erasmus Park halls does not have the Protection Service facility.
Requests for Halls Firewall information or additional services
Requests for additional services should be sent to ServiceLine@soton.ac.uk with legitimate reasons for the request, which ports require opening, TCP, UDP, Outgoing, or Incoming, and ideally some evidence that these ports are safe to open in the firewall and are not security risks for hacking or virus.
These requests will be considered in due course. Requests that will break copyright or other laws will not be considered.
News feeds