With the Firewall Service, two types of policies can be set per network: a network policy and an exception policy. For each policy, the outbound (from the user's subnet to outside the university) and inbound (from outside the university to the user's subnet) settings can be selected from a predefined set of services.
The Firewall Service and the Screening Service are mutually exclusive. When the Firewall Service is activated, the Screening Service is disabled.
The features of the Firewall Service are as follows.
- Communication can be permitted on a per-service-group basis. You can specify which services pass through on a per-service-group basis, such as web (HTTP) or mail (POP3, SMTP). Opening only the service groups you use reduces the possibility of unauthorized intrusion.
- Inbound and outbound traffic can be specified individually. For example, you can permit only off-campus web browsing while denying access from outside the university to terminals on your subnet. That is achieved by permitting only HTTP for outbound and selecting "block all" for inbound. The same applies to other services.
- Communication from inside the university can also be restricted via building screening. In the building screening settings, you can select access to other on-campus subnets from "block all," "TCP from inside only," or "pass all."
Difference from the Screening Service
With external-line screening, screening could be turned on/off per IP address, but with the Firewall Service, settings are made on a per-network basis. First, set the policy for the entire network; then, if necessary, specify the hosts or address ranges that are exceptions to that policy.
How to Apply / Make Changes
To apply, you enter the settings via a web page, after which the configuration details are confirmed by email. The processing flow is as follows.
- The designated liaison enters the details on the settings page
- The configuration details are emailed to the designated liaison
- The designated liaison checks the details and returns them to the NOC
- NOC staff review the details
- If there are no problems, the change is applied to the equipment on the same day or the next business day
* Application may be delayed depending on the firewall's load, etc.
Policy Settings (Network Policy and Exception Policy)
After deciding which network to configure, specify the access policy for that network.
Two types of policies can be set per network: a network policy and an exception policy.
The exception policy can be used when you want to apply a different policy to some terminals or servers separately from the policy for the entire network. For example, you can set the network policy for general terminals within the subnet so that they can access external services but cannot be accessed from outside, while setting the exception policy for an externally published server so that only specific services such as web access can be reached from outside.
Regarding Packets Passing the Block Policy Due to the Firewall's Application Analysis
Since 2022, the firewall has supported application analysis, so depending on the policy settings, the block policy may not be applied until application analysis is complete, and some communication may pass through the firewall.
Specifically, when an exception policy's permitted services are more restricted than the overall policy, or when an exception policy's permitted services are not included in the overall policy's permitted services, packets that should be blocked may pass through the firewall in the exception host's communication.
For example, if you permit only HTTP for an exception host and permit SSH and HTTP for the whole, a few packets of the exception host's SSH communication may pass through the firewall until application analysis is complete, and a TCP connection with the SSH server may be momentarily established.
Firewall Settings
For each policy, the firewall settings let you configure what passes for outbound (from the user's subnet to outside the university) and inbound (from outside the university to the user's subnet) communication. In addition to "block all" and "pass all," the configured content can be selected from the following predefined service groups.
Applications Included in Each Service Group
| Group | Included Communication |
|---|---|
| S1 | HTTP, HTTPS, QUIC, RTSP, MMS |
| S2 | SSH |
| S3 | FTP |
| S4 | POP, POPS, IMAP, IMAPS |
| S5 | ICMP |
| S6 | Information retrieval |
| S7 | DNS |
| S8 | VPN |
| S9 | SMTPS, SUBMISSION |
| S10 | SMTP |
About Each Application
| Type | Description |
|---|---|
| HTTP/HTTPS | Mainly used for sending data between a web browser and a website (including Gmail authentication). |
| QUIC | |
| RTSP | QuickTime, Real streams |
| MMS | Windows Media stream |
| SSH | Mainly used for remote connections. |
| VPN | Includes PPTP (1723/tcp), L2TP (1701/udp), IPSec (AH, ESP, IKE: 500/udp, IPSec NAT Traversal: 4500/udp), GRE, and ports commonly used by general VPN clients (992/tcp, 1194/tcp, 1194/udp, 8888/tcp, 10000/tcp, 10000/udp). For those using HTTPS, such as SSL-VPN and EtherVPN, please use S1. |
| FTP | Passwords are transmitted in plain text |
| SMTP, SMTPS | Mail sending. If you use an on-campus server (such as a hosting service) for sending mail, you can still send mail via the on-campus server even if SMTP from the user's subnet to outside the university is not permitted. This helps prevent virus-infected terminals within the subnet from sending virus email directly to outside the university. |
| SUBMISSION | Mail sending with spam countermeasures. |
| POP | Mail receiving. Passwords are transmitted in plain text |
| IMAP | Mail receiving. Passwords are transmitted in plain text |
| ICMP | traceroute, ping, etc. |
| Information retrieval | Currently includes the library's SciFinder and CrossFire. We plan to progressively add university-wide useful services, such as library services, to "Information retrieval." If you have requests, please first contact query@noc.titech.ac.jp. |
Building Screening Settings
This configures screening that restricts communication at the building switch.
- Block all (except the Center for Information Infrastructure and the Library)
Except for exceptions such as the Center's computers, hosting services, and the Library's information retrieval, communication is not possible either from the inside or from the outside (including on-campus). By using the Center's hosting service or proxy service, web browsing and sending/receiving mail are still possible. This therefore provides a fairly high level of security. - TCP from inside only (except the Center for Information Infrastructure and the Library)
Only TCP communication initiated from inside the user's subnet is permitted. Web browsing and access to external mail servers are available because they are TCP communication initiated from the inside. On the other hand, because connections from outside and UDP communication can be excluded, security is relatively high. However, applications that require connections from outside, and streaming that uses UDP, cannot be used. - Pass all
All communication passes through the building switch.
Frequently Asked Questions
I don't know the designated liaison for the subnet (IP address) I'm using.
Please contact us by email, stating the global IP address you are using.
If you do not know the IP address you are using, please state the IP address shown when accessing T2Box, along with your affiliation information (such as School and department) and building name, and contact us.
I don't know the current settings.
Please have the administrator or the designated liaison of your subnet contact us by email. Please note that, for security and similar reasons, we cannot respond to inquiries from anyone other than the designated liaison.
How can I send Gmail using an email client?
Gmail mail sending supports the following two ports:
・465: SMTPS
・587: Submission
Therefore, for sending from an email client, S9 alone is sufficient.
S10 (SMTP) is mainly required when operating a mail server.
Recommended Settings
- To maximize security
Use the Center's network hosting service for mail and web servers, and use the NOC's proxy service for external web access. Set both inbound and outbound firewall settings to "block all." Set the building screening setting to "block all" as well. - To use external services other than web
If the service you use is TCP-only and connects only from the inside, select that service for outbound in the firewall settings, and select "TCP from inside only" in the building screening settings.
Reference: How to Enter an IP Address Range
When specifying a single IP address, write it in the usual AAA.BBB.CCC.DDD format. When specifying an address range, use CIDR format. A CIDR block is written as AAA.BBB.CCC.DDD/MM, specifying the start address (AAA.BBB.CCC.DDD) and the mask (MM). The mask takes a value from 1 to 32 and indicates how many leading bits are the mask. That is, you specify 2^(32−MM) addresses. Also, in that case, DDD must be divisible by 2^(32−MM).
For example, when specifying an address range from 131.112.126.0/24:
131.112.126.2/31 = 131.112.126.2-3 a range of 2 addresses
131.112.126.4/30 = 131.112.126.4-7 a range of 4 addresses
131.112.126.0/28 = 131.112.126.0-15 a range of 16 addresses
Quick Reference Table
| Subnet mask | Number of usable IP addresses | Note |
| /32 | 1 address | The last number is divisible by 1 |
| /31 | 2 addresses | The last number is divisible by 2 |
| /30 | 4 addresses | The last number is divisible by 4 |
| /29 | 8 addresses | The last number is divisible by 8 |
| /28 | 16 addresses | The last number is divisible by 16 |
| /27 | 32 addresses | The last number is divisible by 32 |
| /26 | 64 addresses | The last number is divisible by 64 |
| /25 | 128 addresses | The last number is divisible by 128 |
| /24 | 256 addresses | The last number is divisible by 256 |