Blocked and Allowed Ports: Difference between revisions
Admin-ulm-1 (talk | contribs) |
Admin-ulm-1 (talk | contribs) |
||
| Line 96: | Line 96: | ||
|} | |} | ||
== Region Ulm == | == Region Ulm == | ||
In the bwCloud-OS Region Ulm | In the bwCloud-OS Region Ulm the following ports are blocked by the Uni border firewall: | ||
{| class="wikitable" | {| class="wikitable" | ||
! Transport !! Port Range !! Description / Reason | ! Transport !! Port Range !! Description / Reason | ||
Revision as of 12:08, 31 March 2026
General
The data centers of the universities of the bwCloud-OS operating sites block certain ports within their respective networks for security reasons. The bwCloud-OS regions are also affected, because the bwCloud-OS hardware is connected to the central network infrastructure.
Some of the public IP ranges of the bwCloud-OS regions are part of the BelWü address space. These addresses are logically outside the network ranges of the hosting universities (the locations of bwCloud). The addresses are treated as external by the firewalls of the respective institutions.
Effects of the Packet Firewall for Users
The most important effect for users is that the network runs more reliably and securely. Many hacker attacks are already blocked at the packet firewall and do not reach the campus or the end systems. The importance of this protection is evident from the fact that attacks now occur almost daily.
However, there are a number of limitations to consider: if services other than the generally allowed ones listed here should be accessible from outside, this must be reported to the university IT. The corresponding service will then be enabled on the packet firewall.
It may also happen that seemingly outbound connections from the instance to certain services do not work. This occurs whenever the external server providing the service tries to establish a return connection to the instance, which is often difficult for the user to verify.
Region Mannheim
To provide basic network protection at the University of Mannheim, certain applications have been blocked at the boundaries of the university network to BelWü since October 1999. This is not intended to represent a central firewall of the university, but rather to filter out the most obvious threats at the outer boundaries of the Mannheim campus according to the "onion layer" principle.
In the "well-known" ports range (i.e., ports below 1024), the following ports are open in server networks:
| Transport | Port | Protocol | Description | Blocking |
|---|---|---|---|---|
| TCP (open) | 22 | ssh | SSH Server | in/outbound |
| TCP (open) | 80 | http | Web Server | in/outbound |
| UDP,TCP (open) | 443 | https | Web Server over SSL | in/outbound |
| TCP (open) | 465 | smtps | SMTP over SSL | in/outbound |
| TCP (open) | 587 | submission | Message Submission | in/outbound |
| TCP (open) | 990 | FTPs | FTP protocol, control, over TLS/SSL | in/outbound |
| TCP (open) | 993 | IMAPs | IMAP Mail over SSL | in/outbound |
| TCP (open) | 995 | POPs | POP Mail over SSL | in/outbound |
The following ports are blocked in the range above 1023:
| Transport | Port | Protocol | Description | Blocking |
|---|---|---|---|---|
| TCP | 1433,1434 | MS-SQL | MS Office | inbound |
| TCP | 1501 | TSM | Backup | inbound |
| TCP | 1900 | SSDP | Service Discovery | inbound |
| UDP,TCP | 2049 | NFS | Filesystem | inbound |
| TCP | 2967 | Symantec | Symantec | inbound |
| UDP | 3283 | Apple | Apple Remote Desktop | inbound |
| TCP | 3306 | mysql | MySQL | inbound |
| UDP,TCP | 3389 | RDP | Remote Desktop | inbound |
| UDP | 3702 | Printer | WS-Discovery | inbound |
| UDP,TCP | 4045 | lockd | Filesystem | inbound |
| TCP | 4369 | EPMD | PortMapper | inbound |
| TCP | 5000 | UPnP | Universal Plug and Play | inbound |
| UDP | 5353 | mdns | Multicast DNS | inbound |
| TCP | 5432 | PostgreSQL | PostgreSQL | inbound |
| TCP | 5985 | WinRM | WinRM | inbound |
| TCP | 8333 | Bitcoin | Bitcoin Full Node | inbound |
| TCP | 8080 | www-alt | Alternative WWW Port | inbound |
| TCP | 9075 | nx-os | Cisco Nexus | inbound |
| UDP | 11211 | memcached | Memcached | inbound |
| TCP | 27017 | MongoDB | MongoDB | inbound |
| UDP | 32100 | IoT | IoT | outbound |
| UDP | 32414 | open-SSDP | Plex Media Servers | inbound |
Region Karlsruhe
In the bwCloud-OS Karlsruhe network, the following ports are blocked:
| Transport | Port | Protocol | Description | Blocking |
|---|---|---|---|---|
| UDP, TCP | 111 | RPC Portmapper | Portmapper Security | inbound/outbound |
Region Ulm
In the bwCloud-OS Region Ulm the following ports are blocked by the Uni border firewall:
| Transport | Port Range | Description / Reason |
|---|---|---|
| TCP, UDP | 0 - 19 | lower protocols, like chargen, etc. used for DDoS |
| TCP, UDP | 23 | telnet |
| TCP, UDP | 42 | WINS |
| TCP, UDP | 67 - 69 | DHCP, tftp |
| TCP, UDP | 111 | rpc |
| TCP, UDP | 119 | nntp |
| TCP, UDP | 135 | loc-srv |
| TCP, UDP | 137 - 139 | SMB |
| TCP, UDP | 161 - 162 | SNMP |
| TCP, UDP | 427 | SLP, Service Location Protocol |
| TCP, UDP | 445 | ms-ds |
| TCP, UDP | 512 - 515 | exec, login, who, syslog, shell, printer |
| TCP, UDP | 520 - 521 | rip, ripng |
| TCP, UDP | 548 | AFP, Apple File Protocol |
| TCP, UDP | 623 | IPMI |
| TCP, UDP | 631 | cups |
| TCP, UDP | 1900 | SSDP |
| TCP, UDP | 2049 | nfsd |
| TCP, UDP | 3306 | MySQL |
| TCP, UDP | 3389 | RDP |
| TCP, UDP | 4045 | nfs lockd |
| TCP, UDP | 4369 | Erlang Port Mapper Daemon (EPMD) |
| TCP, UDP | 5432 | Postgres |
| TCP, UDP | 6443 | Kubernetes |
| TCP, UDP | 9100 | raw printer queues |
| TCP, UDP | 49152 | MS-RPC, allow incoming only established |
| TCP, UDP | 49664 - 49670 | MS-RPC, allow incoming only established |
| TCP | 110 | POP |
| TCP | 873 | rsync - maybe make a Server ACL like FTP |
| TCP | 995 | POPS |
| TCP | 1801 | Microsoft Message Queuing Service, CVE-2023-21554 |
| TCP | 5800 | VNC |
| TCP | 5900 | VNC |
| TCP | 5901 | VNC, sic may be more... |
| TCP | 6000 | X-Server |
| TCP | 6379 | REDIS |
| TCP | 9401 | Veeam Backup, CVE-2023-27532 |
| TCP | 27017 | MongoDB |
| UDP | 177 | XDMCP, X Display Manager ... |
| UDP | 389 | LDAP, UDP-based Amplification Attacks |
| UDP | 1434 | MS-SQL |
| UDP | 3283 | Apple Remote Desktop |
| UDP | 3702 | WS-Discovery |
| UDP | 5093 | SPSS License Server |
| UDP | 5353 | mDNS, UDP-based Amplification Attacks |