Port blocks on the CUDN
Jump to: Institution-CUDN port blocks, Janet-CUDN port blocks
Traffic to certain ports is blocked at the Janet/CUDN gateway because there are frequent attacks from outside the CUDN to these ports. While the blocks will normally prevent all traffic to that port from entering the CUDN, it is possible that traffic will not be blocked all the time, for example while the router configuration is updated or, more unusually, if there is a hardware/software problem affecting the CUDN routers. Furthermore, the blocks will not prevent an attack from within the CUDN, for example an attack from a compromised machine connected to the CUDN. Therefore everyone who has a machine attached to the CUDN needs to ensure that their machine is up-to-date with patches and security fixes at all times, and must not rely on port blocking on the CUDN routers to protect them.
In the case of 'finger' traffic, the port is blocked so that personal data (i.e. that which is subject to the Data Protection Act), does not leave the University domain.
A small number of ports are blocked between institutional networks and the rest of the CUDN. The ports blocked are either those widely used in attacks by worms and viruses, where the blocks are intended to help contain the spread of such malware, or those where there has been a history of problems.
For many ports a list of exceptions to the block is maintained. Institutional contacts who wish a machine to be included on the exception list for a particular port should contact CSIRT. It is essential that any machines that are excepted from a block are patched and have their virus protection up to date, and that the security of these machines is maintained.
Note: when exceptions are installed against addresses, the address is typically 'locked' in the IP Register database, preventing it from being rescinded. This will show up as an 'ANAME' error. This prevents the exemption from being transferred to a new host.
Ports blocked between institutional networks and the rest of the CUDN
| Port number | service | TCP or UDP | exceptions |
| 135 | windows RPC service | tcp | yes |
| 445 | microsoft-ds | tcp | yes |
| 161-162 | snmp | udp | yes |
Ports blocked at the CUDN/Janet gateway
| Port number | service | TCP or UDP | exceptions | incoming or outgoing |
| 0 | - | tcp,udp | no | both |
| 1 | tcpmux | tcp,udp | no | incoming |
| 21 | FTP | tcp | yes | incoming |
| 25 | smtp | tcp | yes | both |
| 53 | domain | tcp, udp | yes | incoming |
| 69 | tftp | udp | no | incoming |
| 79 | finger | tcp | yes | incoming |
| 98 | linuxconf | tcp | yes | incoming |
| 109 | pop-2 | tcp | yes | incoming |
| 110 | pop-3 | tcp | yes | incoming |
| 111 | rpcbind | tcp, udp | yes | incoming |
| 135 | windows RPC service | tcp, udp | yes | both |
| 137 | netbios-ns (Name Service) | tcp, udp | yes | both |
| 138 | netbios-dgm (Datagram Service) | tcp, udp | yes | both |
| 139 | netbios-ssn (Session Service) | tcp, udp | yes | both |
| 143 | imap-2 | tcp | yes | incoming |
| 161-162 | snmp | tcp, udp | no | incoming |
| 220 | imap-3 | tcp | yes | incoming |
| 445 | microsoft-ds | tcp,udp | yes | both |
| 465 | smtps | tcp | yes | incoming |
| 512 | rexec | tcp | no | incoming |
| 514 | syslog | udp | no | incoming |
| 515 | lpr | tcp,udp | no | incoming |
| 587 | message submission | tcp | yes | incoming |
| 623 | rmcp | tcp and udp | yes | incoming |
| 631 | Internet Printing Protocol | tcp | yes | incoming |
| 664 | rmcps | tcp and udp | yes | incoming |
| 993 | imap4 over TLS/SSL | tcp | yes | incoming |
| 995 | pop3 over TLS/SSL | tcp | yes | incoming |
| 1433 | MS-SQL server | tcp | yes | incoming |
Last updated: 4th May 2018
01223 332999
