Networking, Firewall, Mostly Open + UI Group Details
Summary
The Mostly Open + UI group is designed for servers that are not web or email servers; it allows all traffic from the University of Illinois IP ranges. From the broader Internet, it blocks the most commonly exploited ports while allowing all other traffic through. This group is too permissive for most desktops.
University of Illinois IP ranges given full access
In this firewall group, IP ranges belonging to the University of Illinois (including the Springfield and Chicago campuses) are given full access. UI IP ranges will not be subject to the same firewall restrictions as IP ranges from the external Internet.
For a list of the IP ranges that this firewall group considers a part of the University of Illinois network, see Guide to University of Illinois IP Spaces.
Internet: Services allowed in
From computers that are not part of the University of Illinois network:
All except DNS, finger, HTTP, HTTPS, ICMP, IRC, LDAP, LPD, NFS, NNTP, SNMP, and SMTP. (A specific port list is available.)
Assuming that a machine uses the standard ports for its services, external users trying to access services from a machine in this group will find that many services are allowed. However, unlike the Mostly Closed group, several of the most common services are denied, in order to protect the machine from the most common exploits.
Services denied to users coming from outside the firewall include mail, chat, ping or traceroute, user lookup, unencrypted web servers, newsgroups, and network management services like directory access, network file sharing, and DNS (mapping machine names to IP addresses).
Internet: Services allowed out
To computers that are not part of the University of Illinois network:
All (except the ports that are always blocked in both directions)
Advantages
- This group reduces a computer's visibility on the network for some of the most common exploits, and helps protect from common port scans that are initiated from off-campus.
- A computer in this group maintains most of the functionality that the computer would have under the fully open model.
- Many of the services left available under this plan are things that most departments would not want to advertise outside of the university.
- Popular services are accessible from outside (with the exception of mail and HTTP).
Disadvantages
- If a department has users off-campus relying on any of the services that are blocked, the off-campus users won't be able to access them without acquiring a University IP address through the VPN server. (For example, someone remotely NFS mounting a drive through a third-party ISP connection would not be able to continue this method of access without installing and running a VPN client.)
- Since most ports are left open, computers in this group have less overall protection than computers in more restrictive groups.