Blocked and Allowed Ports: Difference between revisions

From bwCloud-OS
Jump to navigation Jump to search
← Older edit
VisualWikitext
Admin-ulm-1 (talk | contribs)
intern
8 edits
No edit summary
 
(5 intermediate revisions by 2 users not shown)
Line 18: Line 18:
|-
|-
|-
|-
|}


== Region Mannheim ==
== Region Mannheim ==
To provide basic network protection at the University of Mannheim, certain applications have been blocked at the boundaries of the university network to BelWü since October 1999. This is not intended to represent a central firewall of the university, but rather to filter out the most obvious threats at the outer boundaries of the Mannheim campus according to the "onion layer" principle.


In the "well-known" ports range (i.e., ports below 1024), the following ports are open in server networks:
The bwCloud-OS networks are accessible from the outside on '''all ports'''.


{| class="wikitable"
The following ports are blocked outbound (for all networks):
! Transport !! Port !! Protocol !! Description !! Blocking
|-
| TCP (open) || 22 || ssh || SSH Server || in/outbound
|-
| TCP (open) || 80 || http || Web Server || in/outbound
|-
| UDP,TCP (open) || 443 || https || Web Server over SSL || in/outbound
|-
| TCP (open) || 465 || smtps || SMTP over SSL || in/outbound
|-
| TCP (open) || 587 || submission || Message Submission || in/outbound
|-
| TCP (open) || 990 || FTPs || FTP protocol, control, over TLS/SSL || in/outbound
|-
| TCP (open) || 993 || IMAPs || IMAP Mail over SSL || in/outbound
|-
| TCP (open) || 995 || POPs || POP Mail over SSL || in/outbound
|}
 
 
The following ports are blocked in the range above 1023:


{| class="wikitable"
{| class="wikitable"
! Transport !! Port !! Protocol !! Description !! Blocking
! Transport !! Port !! Description
|-
|-
| TCP || 1433,1434 || MS-SQL || MS Office || inbound
| UDP, TCP || 128 || Reserved / GSS X License
|-
|-
| TCP || 1501 || TSM || Backup || inbound
| TCP || 129-139 || NetBIOS / RPC
|-
|-
| TCP || 1900 || SSDP || Service Discovery || inbound
| UDP, TCP || 445 || SMB / Microsoft-DS
|-
|-
| UDP,TCP || 2049 || NFS || Filesystem || inbound
| UDP || 11211 || Memcached
|-
|-
| TCP || 2967 || Symantec || Symantec || inbound
| UDP || 32100 || IoT
|-
| UDP || 3283 || Apple || Apple Remote Desktop || inbound
|-
| TCP || 3306 || mysql || MySQL || inbound
|-
| UDP,TCP || 3389 || RDP || Remote Desktop || inbound
|-
| UDP || 3702 || Printer || WS-Discovery || inbound
|-
| UDP,TCP || 4045 || lockd || Filesystem || inbound
|-
| TCP || 4369 || EPMD || PortMapper || inbound
|-
| TCP || 5000 || UPnP || Universal Plug and Play || inbound
|-
| UDP || 5353 || mdns || Multicast DNS || inbound
|-
| TCP || 5432 || PostgreSQL || PostgreSQL || inbound
|-
| TCP || 5985 || WinRM || WinRM || inbound
|-
| TCP || 8333 || Bitcoin || Bitcoin Full Node || inbound
|-
| TCP || 8080 || www-alt || Alternative WWW Port || inbound
|-
| TCP || 9075 || nx-os || Cisco Nexus || inbound
|-
| UDP || 11211 || memcached || Memcached || inbound
|-
| TCP || 27017 || MongoDB || MongoDB || inbound
|-
| UDP || 32100 || IoT || IoT || outbound
|-
| UDP || 32414 || open-SSDP || Plex Media Servers || inbound
|}
|}


Line 169: Line 114:
| TCP, UDP || 49664 - 49670 || MS-RPC, allow incoming only established
| TCP, UDP || 49664 - 49670 || MS-RPC, allow incoming only established
|-
|-
|-
| TCP      ||            25 ||  SMTP, with explicit allow list
|-
|-
| TCP      ||          110 ||  POP
| TCP      ||          110 ||  POP
|-
| TCP      ||          389 ||  LDAP, with explicit allow list
|-
|-
| TCP      ||          873 ||  rsync - maybe make a Server ACL like FTP
| TCP      ||          873 ||  rsync - maybe make a Server ACL like FTP
Line 192: Line 141:
| TCP      ||        27017 ||  MongoDB
| TCP      ||        27017 ||  MongoDB
|-
|-
|-
|      UDP ||            53 ||  DNS, with explicit allow list
|-
|      UDP ||          123 ||  NTP, with explicit allow list
|-
|-
|      UDP ||          177 ||  XDMCP, X Display Manager ...
|      UDP ||          177 ||  XDMCP, X Display Manager ...
Line 200: Line 153:
|-
|-
|      UDP ||          3283 ||  Apple Remote Desktop
|      UDP ||          3283 ||  Apple Remote Desktop
|-
|      UDP ||          3478 ||  STUN, with explicit allow list
|-
|-
|      UDP ||          3702 ||  WS-Discovery
|      UDP ||          3702 ||  WS-Discovery

Latest revision as of 18:29, 13 April 2026

General

The data centers of the universities of the bwCloud-OS operating sites block certain ports within their respective networks for security reasons. The bwCloud-OS regions are also affected, because the bwCloud-OS hardware is connected to the central network infrastructure.

Some of the public IP ranges of the bwCloud-OS regions are part of the BelWü address space. These addresses are logically outside the network ranges of the hosting universities (the locations of bwCloud). The addresses are treated as external by the firewalls of the respective institutions.

Effects of the Packet Firewall for Users

The most important effect for users is that the network runs more reliably and securely. Many hacker attacks are already blocked at the packet firewall and do not reach the campus or the end systems. The importance of this protection is evident from the fact that attacks now occur almost daily.

However, there are a number of limitations to consider: if services other than the generally allowed ones listed here should be accessible from outside, this must be reported to the university IT. The corresponding service will then be enabled on the packet firewall.

It may also happen that seemingly outbound connections from the instance to certain services do not work. This occurs whenever the external server providing the service tries to establish a return connection to the instance, which is often difficult for the user to verify.

Region Freiburg

TODO: add

Transport Port Protocol Description Blocking

Region Mannheim

The bwCloud-OS networks are accessible from the outside on all ports.

The following ports are blocked outbound (for all networks):

Transport Port Description
UDP, TCP 128 Reserved / GSS X License
TCP 129-139 NetBIOS / RPC
UDP, TCP 445 SMB / Microsoft-DS
UDP 11211 Memcached
UDP 32100 IoT

Region Karlsruhe

In the bwCloud-OS Karlsruhe network, the following ports are blocked:

Transport Port Protocol Description Blocking
UDP, TCP 111 RPC Portmapper Portmapper Security inbound/outbound

Region Ulm

In the bwCloud-OS Region Ulm the following ports are blocked by the Uni border firewall:

Transport Port Range Description / Reason
TCP, UDP 0 - 19 lower protocols, like chargen, etc. used for DDoS
TCP, UDP 23 telnet
TCP, UDP 42 WINS
TCP, UDP 67 - 69 DHCP, tftp
TCP, UDP 111 rpc
TCP, UDP 119 nntp
TCP, UDP 135 loc-srv
TCP, UDP 137 - 139 SMB
TCP, UDP 143 IMAP, with explicit allow list
TCP, UDP 161 - 162 SNMP
TCP, UDP 427 SLP, Service Location Protocol
TCP, UDP 445 ms-ds
TCP, UDP 512 - 515 exec, login, who, syslog, shell, printer
TCP, UDP 520 - 521 rip, ripng
TCP, UDP 548 AFP, Apple File Protocol
TCP, UDP 623 IPMI
TCP, UDP 631 cups
TCP, UDP 993 IMAP, with explicit allow list
TCP, UDP 1900 SSDP
TCP, UDP 2049 nfsd
TCP, UDP 3306 MySQL
TCP, UDP 3389 RDP
TCP, UDP 4045 nfs lockd
TCP, UDP 4369 Erlang Port Mapper Daemon (EPMD)
TCP, UDP 5432 Postgres
TCP, UDP 6443 Kubernetes
TCP, UDP 9000 - 10999 3CX RTP, with explicit allow list
TCP, UDP 9100 raw printer queues
TCP, UDP 49152 MS-RPC, allow incoming only established
TCP, UDP 49664 - 49670 MS-RPC, allow incoming only established
TCP 25 SMTP, with explicit allow list
TCP 110 POP
TCP 389 LDAP, with explicit allow list
TCP 873 rsync - maybe make a Server ACL like FTP
TCP 995 POPS
TCP 1801 Microsoft Message Queuing Service, CVE-2023-21554
TCP 5800 VNC
TCP 5900 VNC
TCP 5901 VNC, sic may be more...
TCP 6000 X-Server
TCP 6379 REDIS
TCP 9401 Veeam Backup, CVE-2023-27532
TCP 27017 MongoDB
UDP 53 DNS, with explicit allow list
UDP 123 NTP, with explicit allow list
UDP 177 XDMCP, X Display Manager ...
UDP 389 LDAP, UDP-based Amplification Attacks
UDP 1434 MS-SQL
UDP 3283 Apple Remote Desktop
UDP 3478 STUN, with explicit allow list
UDP 3702 WS-Discovery
UDP 5093 SPSS License Server
UDP 5353 mDNS, UDP-based Amplification Attacks
Retrieved from "https://wiki.bwcloud-os.de/index.php?title=Blocked_and_Allowed_Ports&oldid=2024"