Networking, Firewall, Service Participation
For IT Pros: This page contains information about how campus IT pros can add groups of computers under their control to the different campus firewall groups.
Nearly all publicly routable networks on campus participate in the Firewall Service Plan. If no other group has been specified by your unit, your network is in the Fully Closed group. If you have private (RFC 1918) IP space using NAT, that is also in the Fully Closed group. If your network needs to be in a different group in order to meet your unit's needs then you can submit the UIUC_network_request_firewall form (see Procedural Rules section below).
Rules for participating in the Firewall Service Plan
IP range rules:
- Each firewall group your unit needs should be a separate subnet.
- If your unit currently has one network serving multiple purposes, breaking that network into purpose-driven network is encouraged.
- If you absolutely can't use one firewall group for your network, Legacy IP range rules are still supported, see that section for more information.
Procedural rules:
- The head of the department must approve participation in the plan.
- All IP space in your network (or if necessary a selected legacy IP range) must be assigned to one of the firewall group. However, for Legacy IP ranges it is not required to use all of the available firewall group. (For example, you can place one contiguous range in the Fully Closed plan and another contiguous range in the Mostly Open plan, but are not required to place a machine range in each of the available plans.)
- IPv4 and IPv6 ranges for a single network must be placed in the same firewall group. If you are using Legacy IP ranges, IPv6 use on that network is discouraged. If your unit must have Legacy IP ranges and IPv6 for the same network, then the entire IPv6 range will be placed in the most restrictive firewall group used by any of that network's Legacy IP ranges.
- Paperwork from must be signed and returned to Tech Services before
any hosts can be placed in the firewall groups. Complete this form (UIUC_network_request_firewall_agreement.doc) and return it to Tech Services Networking by emailing a copy to net-trouble@illinois.edu or if you can't send it via email you can send a paper copy to mail code 256, 1304 W. Springfield, Urbana, IL 61801.
- Optional: A number of network
administrators have commented to us that they felt uncomfortable
agreeing to the conditions in the statement of compliance form in that
they have no oversight for the machines that research groups request be
placed in the fully open portions of their subnet(s).
In response to (and in partnership with) those groups, we have developed an additional form for use by network administrators. This Departmental Statement of Compliance is intended to be a tool for network administrators. You may require it be completed before agreeing to place faculty or staff machines on fully open portions of your subnet(s).
While not required, Security would greatly appreciate receiving a copy of this form once you've signed off on it. Please send these forms to securitysupport@illinois.edu.
- Optional: A number of network
administrators have commented to us that they felt uncomfortable
agreeing to the conditions in the statement of compliance form in that
they have no oversight for the machines that research groups request be
placed in the fully open portions of their subnet(s).
What to do when you've determined the networks or groups for your machines
1. Fill out the firewall paperwork and return it to Networking.Once Networking has received the paperwork they will forward Fully Open firewall paperwork to Security for their sign off as needed, check your Legacy IP ranges for their conformance to the subnet masking rules if necessary, and then contact you to schedule the firewall change.
2. If hosts need to move once you have new networks or the Networking-approved Legacy IP ranges and subnet masks for your machines, you can use IPAM to move your machines from their current IPs and subnet masks to their new locations.
3. Verify that the firewall groups are working as expected after the scheduled change.
Placing and removing hosts from the firewall groups is a "normal business hours" service.
Legacy IP range rules:
- IP ranges selected for inclusion in the firewall plan must be contiguous (for example, you cannot say "everything from 192.0.0.0 to 192.0.0.63 except for 192.0.0.3 and 192.0.0.7").
- You must divide your network into no more than six IP ranges.
- Any selected IP range must contain a power of 2 number of hosts.
- The range of IP addresses for a firewall group must be able to be represented by a combination of a starting IP address and a subnet mask describing the size of the range.
Since the campus firewalls use the combination of a valid range-starting IP address and a subnet mask to describe a segment of the network, all IP ranges used to define firewall groups must obey each of these rules.
For more assistance on determining what is a contiguous group of IP addresses matching the "Powers of Two" requirement, see Calculating Firewall Ranges.