This is a service that restricts connections to specific on-campus IPs so that they can only be made from within Japan.
By applying it to IP addresses that are assigned only for maintenance connections from maintenance vendors that do not have a fixed IP address, you can use it as a mitigation measure against indiscriminate connection probing and intrusion attacks from overseas.
* If the source IP address can be fixed, please configure filtering on the system receiving the maintenance, etc., so that only that source's access is permitted.
Service Details
- Restricts the connection source for communication addressed to a specified on-campus global IP address (an address beginning with 131.112) to within Japan only.
- It can be used as an option for IPs whose connections are permitted by the Firewall Service's inbound policy, or IPs that have had screening lifted under the Screening Service.
- IPs for which connections from outside the university are not permitted by the Firewall/Screening Service cannot use it.
- This service does not restrict communication to outside the university. If a Firewall Service outbound policy is configured, that configuration is followed. If connections to outside the university are permitted, updates for the OS, security software, etc., remain available.
Examples of Combination with the Firewall/Screening Service
- When combined with the Firewall Service:
- When the overall inbound policy permits only HTTP connections:
- Connections to the specified IP's web service are restricted to within Japan only.
- Connections to web services other than the specified IP can also be made from overseas.
- Inbound communication other than HTTP is blocked by the Firewall Service.
- When the overall inbound policy permits only HTTP connections:
- When combined with the Screening Service:
- All communication addressed to the specified IP becomes Japan-only. Communication from the specified IP to outside the university does not become Japan-only.
How to Use
Specifying the Target IP Addresses
You can specify the target IP addresses as a single IP address or as multiple IP addresses.
* Because firewall resources are limited, there is a cap on the number of times this service can be applied per subnet.
If you intend to use this service for multiple IP addresses, please consolidate them into a single contiguous range as much as possible, using a subnet mask or range specification, with reference to the following.
Specifying an IP Address Range
Regarding subnet masks, please also check the reference information below.
Specification by subnet mask: 131.112.125.4/30 (4-7 are targeted)
Specification by range: 131.112.125.4-7How to Apply
The designated liaison of the subnet to which the target IP addresses belong should apply by email to apply[@]noc.cii.isct.ac.jp, stating the IP(s) whose settings you want to change.
After we review the content and there are no problems, we will apply it to the firewall and reply by email to that effect.
Important Notes
- This is configured on a firewall device separate from the Firewall/Screening Service. While the route is temporarily switched due to device maintenance, a fault, or similar, the Japan-only filter is not applied.
- "Within Japan" in this service refers to addresses provided as "Japan" in the IP geolocation database of the firewall already deployed at this university. Even if there are changes or omissions in this content due to device or operational changes, the restriction is, in principle, provided based on this category.
- While it is effective in suppressing suspicious connections from overseas, please be sure to configure security settings on the server or other system that uses this service.
Reference: How to Specify an IP Address Range Using a Subnet Mask (CIDR)
When specifying an IP address range in CIDR format, you specify the start address (AAA.BBB.CCC.DDD) and the mask (MM). The mask takes a value from 1 to 32 according to the bit length of the IP address, and indicates how many leading bits are masked. In other words, you specify 2^(32−MM) addresses, corresponding to the remaining unmasked bit length, as the address range.
For on-campus subnets, networks are usually allocated as /24, so MM takes a value from 24 to 31, and the fourth octet (DDD) of the IP address must be divisible by 2^(32−MM).
For example, when specifying an address range from 131.112.126.0/24:
131.112.126.2/31 = 131.112.126.2-3 a range of 2 addresses
131.112.126.4/30 = 131.112.126.4-7 a range of 4 addresses
131.112.126.0/28 = 131.112.126.0-15 a range of 16 addresses
[Quick Reference Table]
| /32 → 1 address | The last number is divisible by 1 |
| /31 → 2 addresses | The last number is divisible by 2 |
| /30 → 4 addresses | The last number is divisible by 4 |
| /29 → 8 addresses | The last number is divisible by 8 |
| /28 → 16 addresses | The last number is divisible by 16 |
| /27 → 32 addresses | The last number is divisible by 32 |
| /26 → 64 addresses | The last number is divisible by 64 |
| /25 → 128 addresses | The last number is divisible by 128 |
| /24 → 256 addresses | The last number is divisible by 256 |