Port blocks on the UDN
Jump to: Exceptions, Institution-UDN port blocks, Janet-UDN port blocks
Traffic to a number of ports is blocked at the Janet/UDN gateway because there are frequent attacks from outside the UDN to these ports. While the blocks will normally prevent all traffic to that port from entering the UDN, it is possible that traffic will not be blocked all the time, for example while the router configuration is updated or, more unusually, if there is a hardware/software problem affecting the UDN routers. Furthermore, the blocks will not prevent an attack from within the same network or elsewhere on the UDN. Therefore everyone who has a machine attached to the UDN needs to ensure that their machine is up-to-date with patches and security fixes at all times, and must not rely on port blocking on the UDN routers to protect them.
In the case of 'finger' traffic, the port is blocked so that personal data (i.e. that which is subject to the Data Protection Act), does not leave the University domain.
A small number of ports are blocked between institutional networks and the rest of the UDN. The ports blocked are either those widely used in attacks by worms and viruses, where the blocks are intended to help contain the spread of such malware, or those where there has been a history of problems.
Exceptions
For many ports a list of exceptions to the block is maintained. Institutional contacts who wish a machine to be included on the exception list for a particular port should contact CSIRT. It is essential that any machines that are excepted from a block are patched and have their virus protection up to date, and that the security of these machines is maintained.
For manageability reasons, exceptions in the border are typically made FROM ALL external addresses (i.e. the entire internet) to the specified UDN address, rather than the specific external addresses which may be required: if required, institutions must limit the external addresses from which the exception is permitted using a local firewall or other traffic control.
Exceptions are only available to/from publicly-routed addresses, not UDN-wide private addresses.
Note: when exceptions are installed against addresses, the address is typically 'locked' in the IP Register database, preventing it from being rescinded and will show up as an 'ANAME' error, when this is attempted. This prevents the exemption from being transferred to a new host. It is strongly recommended that entries for hosts are rescinded, when the host is decommissioned, to flag up any exceptions or other dependencies so they can be removed, rather than leave them in place to affecta subsequent host which happens to have the same IP address.
Institution-UDN port blocks
The list below shows the ports blocked from the UDN into institutions:
Port number | service | TCP or UDP | Exceptions |
---|---|---|---|
135 | epmap (Microsoft RPC service) | TCP | Yes |
161-162 | SNMP | UDP | Yes |
445 | microsoft-ds | TCP | Yes |
Note that no ports are blocked from an institution into the UDN: if traffic is blocked it is usually at the destination end.
Janet-UDN port blocks
The list below shows the ports blocked between Janet (the internet provider used by the UDN) and the UDN:
Port number | Service | TCP or UDP | Exceptions | Direction |
---|---|---|---|---|
0 | - | TCP+UDP | No | Both |
1 | tcpmux | TCP+UDP | No | incoming |
21 | ftp | TCP | Yes | Incoming |
25 | smtp (mail transport: server-server) | TCP | Yes | Both |
53 | domain (DNS) | TCP+UDP | Yes | Incoming |
69 | tftp | UDP | No | incoming |
79 | finger | TCP | Yes | Incoming |
98 | linuxconf | TCP | Yes | Incoming |
109 | pop-2 | TCP | Yes | Incoming |
110 | pop-3 | TCP | Yes | Incoming |
111 | rpcbind | TCP+UDP | Yes | Incoming |
135 | epmap (Microsoft RPC service) | TCP+UDP | Yes | Both |
137 | netbios-ns (Microsoft Name Service) | TCP+UDP | Yes | Both |
138 | netbios-dgm (Microsoft Datagram Service) | TCP+UDP | Yes | Both |
139 | netbios-ssn (Session Service) | TCP+UDP | Yes | Both |
143 | imap2 | TCP | Yes | Incoming |
161+162 | snmp | TCP+UDP | No | Incoming |
220 | imap3 | TCP | Yes | Incoming |
427 | svrloc | TCP+UDP | No | Both |
445 | microsoft-ds | TCP+UDP | Yes | Both |
465 | smtps | TCP | Yes | Incoming |
512 | rexec | TCP | No | Incoming |
514 | syslog | UDP | No | Incoming |
515 | lpr | TCP+UDP | No | Incoming |
587 | submit (mail transport: client-server) | TCP | Yes | Incoming |
623 | rmcp | TCP+UDP | Yes | Incoming |
631 | ipp (Internet Printing Protocol) | TCP | Yes | Incoming |
664 | rmcps | TCP+UDP | Yes | Incoming |
993 | imaps (IMAP4 over TLS/SSL) | TCP | Yes | Incoming |
995 | pop3s (POP3 over TLS/SSL) | TCP | Yes | Incoming |
1433 | MS-SQL server | TCP | Yes | Incoming |
3389 | Microsoft Remote Desktop | TCP | Yes | Incoming |
Last updated: 6th November 2023