TAU's firewall Frequently Asked Questions

The firewall is a network device which is located at the border between TAU and the rest of the world. The firewall let's network administrator enforce a security policy at this border. The policy which is enforced at TAU was drafted by TAU CC staff and approved by the computer committee and the University management.

The firewall is here to protect the innocent. Most users need minimal interaction with the outer world. The firewall protects them from most (although not all) of the hazards of living on the Internet.

No. The firewall is just like the fence and gates around the University. Although they limit your freedom to some degree, they are here for a good purpose (protecting organizational assets). The exact impact on users depends on the exact security policy which is enforced at the firewall.

As of this writing (April 2004), most outbound traffic is not restricted. Direct web access to port 80 is blocked and users are required to use our proxy servers. We do require that owners of servers which provide services to the outside world (such as a departmental web server that is accessed by users connecting from the rest of the greater Internet) will register this service with us. This requirement ensures that only those people that really need their servers exposed to the external world will be accessible.

Please apply using the 'firewall form' (available as Word and PostScript format). The filled forms should be sent via ordinary mail to 'Yaron Zabary, agaf michshuv vetechnologyot meda'. You may also fax these to 6405158.

If you are not sure, this most likely means that you do not need to.

Yes. Due to the recent outbreak of many viruses, we had to block access to some popular ports. In particular, direct access to EXTERNAL SMTP servers was blocked (a detailed explanation can be found in mail changes doc. Also several ports which are used for accessing network drives on Windows machines were blocked. Aside from those ports which are blocked, ADSL and modem are considered as part of the campus.

No. Such finer access control is left to the responsibility of the user. Implementing this on the firewall is not desirable because of performance issues. Implementing this on the server usually involves setting up a kernel packet filter (such as IPCHAIN'S), some kind of personal firewall or TCP wrappers. If you need assistance with setting these up, please approach TAU CC staff (sending Email to our helpdesk should usually do).

Please send a detailed letter to our helpdesk for further assistance.

No. These services are known to work.

Yes. Although not directly related to the firewall, we are using some capabilities in our networking equipment to prevent users from using these services.

No. Although we have been told that file sharing is not possible. We might re-evaluate our policy regarding ICQ at a later date.

It is advised that, if possible, you will restrict access to only those machines that really require access. It is also suggested that you will use a protocol that supports encryption, such as ssh or telnet over SSL. That said, please keep in mind the legal status of encryption in Israel, as described in here.

No. With the migration to the PIX firewall, we intend to provide such a service before the next academic year.

Due to certain security problems with such telnet access, applying for interactive access means ssh only.

ssh is similar to telnet. Its main advantage is that it encrypts the traffic between your PC and the server. A Windows ssh client can be obtained from here. For Unix machines, you can get the sources from our ftp site. ssh is installed on most workstations with CC support.

You may still use gate as before.

No. This page resides on TAU' CC main web server and is already accessible from the outside.

Due to the recent viruses and spam, all incoming Email must be scanned for viruses. This is done by two dedicated machines which accept all Email traffic before it reaches the Email servers. This policy is described in the mail changes doc

You may do so by running the nslookup command which is available on all Unix and Windows NT/2000 machines. In the output below, you can see that aristo is serving as a mail exchanger at priority 7. This ensures that Email to this host will be received by aristo first and then delivered to cyclone (the mail exchanger at priority 0).

# nslookup -q=mx cyclone
Server:  aristo.tau.ac.il
Address:  132.66.32.10

cyclone.tau.ac.il       preference = 0, mail exchanger = cyclone.tau.ac.il
cyclone.tau.ac.il       preference = 7, mail exchanger = aristo.tau.ac.il
tau.ac.il       nameserver = aristo.tau.ac.il
tau.ac.il       nameserver = ccsg.tau.ac.il
tau.ac.il       nameserver = relay.huji.ac.il
cyclone.tau.ac.il       internet address = 132.66.140.25
aristo.tau.ac.il        internet address = 132.66.32.10
ccsg.tau.ac.il  internet address = 132.66.16.2
relay.huji.ac.il        internet address = 128.139.6.1

On the other hand, the following output is typical for a host that does not have an MX record and will have its Email blocked.

# nslookup -q=mx raven
Server:  aristo.tau.ac.il
Address:  132.66.32.10

tau.ac.il
        origin = aristo.tau.ac.il
        mail addr = marsh.aristo.tau.ac.il
        serial = 2001082917
        refresh = 43200 (12H)
        retry   = 7200 (2H)
        expire  = 5184000 (5184000)
        minimum ttl = 86400 (1D)

Our Email server is checking that the sender is OK. It might reject some of the usual commercial spam which is sent over the Internet. It might reject some legitimate mail as well, but this is usually related to some configuration errors with the sender. If you suspect this is the case, please send an Email to our helpdesk with a detailed description of the problem.