Summary

The Mostly Closed + UI group is designed for web or email servers, allowing access to those services without being fully exposed to the Internet. It can be too permissive for some desktop systems, and can be too restrictive for other types of servers.

The difference between this group and the Mostly Closed group is that this group places no restrictions on network traffic between the University of Illinois campuses.

University of Illinois IP ranges given full access

In this firewall group, IP ranges belonging to the University of Illinois (including the Springfield and Chicago campuses) are given full access. UI IP ranges will not be subject to the same firewall restrictions as IP ranges from the external Internet.

For a list of the IP ranges that this firewall group considers a part of the University of Illinois network, see Guide to University of Illinois IP Spaces.

Internet: Services allowed in

From computers that are not part of the University of Illinois network:

Only HTTP, HTTPS, IMAP, secure IMAP, POP3, secure POP, FTP, SFTP, SMTP, and H.323. (A specific port list is available.)

Assuming that a machine uses the standard ports for its services, placement in this group means that users from outside the firewall will be allowed to initiate connections with encrypted and unencrypted web servers, mail servers, FTP sessions, and voice-over-IP connections on machines in this group. No other services will be accessible to outside users if a machine is in this group.

Internet: Services allowed out

To computers that are not part of the University of Illinois network:

All (except the ports that are always blocked in both directions)

Advantages

• Computers in this group are at lower risk from attacks from outside the university on the ports that are blocked.
• Users still get access to the Internet for services they already have.
• Popular services are still accessible from outside (for example, departmental web servers, mail servers, etc.).

Disadvantages

• Computers are still at risk for any attacks coming through the ports that are open. Examples include, web server vulnerabilities, sendmail vulnerabilities, etc. Note that many non-web-server devices now have interfaces that use web ports; some of the vulnerabilities that target web ports can cause problems in these devices. For example, HP JetDirect printers could be made to print out extra pages because of a web server vulnerability.
• If a computer is offering services that require additional ports, this package will not work for that machine.