CF Web>Networking>CSNetworkACL (2024-10-30, MariHassanzada)

CS network ACL summary (THIS PAGE NEEDS UPDATING)

work in progress -- please send comments to trg

CS network ACL summary (THIS PAGE NEEDS UPDATING)

We've requested a summary (with regular ongoing updates and maintenance) of the ACLs applied to our networks by the constituency routers for our area. See our ST#90052, which refers to the IST RT UW-RT #302304 (which you probably won't be able to read). These are both stalled indefinitely (as of 2014-2-28).

In the interim, here is an informal and likely incomplete summary:

client networks

outbound unrestricted
off-campus inbound restricted, other that stateful return traffic
networks affected:

IP adresses	Router	Vlan
129.97.84.0/24	dc-cs2	84
129.97.168.0/24	dc-cs2	168
129.97.169.0/24	dc-cs2	169
129.97.170.0/23	dc-cs2	170

Each of the above networks is restricted to "outbound" traffic only, with a couple of exceptions. The ACL is stateful with respect to established TCP connections -- ie the traffic that comes back as the result of an outbound TCP connection is allowed. The exceptions which allow inbound traffic are for:

ssh
RDP
ident

For details, see the dc-cs2 configuration definition of the ACL set "170_client-untrust"

infrastructure LOM/IPMI networks

outbound unrestricted (notwithstanding private IP limitations)
off-campus inbound restricted
intra-campus inbound restricted
networks affected:

IP adresses	Router	Vlan
10.0.152.0/24	dc-cs2	525
10.0.153.0/24	cs-rt-dc-2303a	525
10.0.154.0/24	cs-rt-mc-3015a	525
10.0.155.0/24	cs-rt-m3-3101	525
10.15.2.0/24	dc-cs2	802
10.15.3.0/24	mc-cs2	806
10.15.16.0/24	dc-cs2	816
10.15.18.0/24	dc-cs2	812
10.15.28.0/24	mc-cs2	810

Each of the above networks can be reached only from the following networks/hosts:

IP adresses	Comment
10.15.152.4/32	Host: asgard.cscf.uwaterloo.ca
129.97.15.0/24	CSCF network
172.19.15.0/24	CSCF trusted UW-Intranet network -- not implement yet at of 2014-3-6
172.19.4.229/32	Host: cscf.cs.uwaterloo.ca

research LOM/IPMI

As at 2014-3-6, there is one dedicated research LOM network, namely 172.19.96.0/24. It is completely unrestricted. It it proposed to expand this to three separate network, as follows:

Network	vlan	Comment
172.19.96.0/24	1896	existing network, unrestricted access
172.19.97.0/24	1894	high-restricted LOMs, just from vlan 15 and cscf.cs.uwaterloo.ca; same as the infrastructure LOMs
172.19.98.0/24	1895	moderately-restricted, allows various client networks within CS, as follows:
		129.97.7.0/24	research servers
		129.97.15.0/24	CSCF staff network
		129.97.26.0/24	research servers
		129.97.84.0/24	client workstations
		129.97.105.0/24	Shoshin research group
		129.97.114.0/24	CGL research group
		129.97.167.128/25	CS public servers (contains linux.cs) (vlan dc:421)
		129.97.168.0/24	client workstations
		129.97.169.0/24	client workstations
		129.97.170.0/23	client workstations
		129.97.173.192/26	CSG research group (vlan dc:1732)
		129.97.186.0/24	PLG research group
		172.19.15.0/24	CSCF Staff network -- future

teaching-lab networks

outbound unstricted
off-campus inbound restricted (except for stateful TCP)
some intra-campus inbound restricted, eg wireless and ResNet unless otherwise noted

IP adresses	Router	Vlan	Comment
129.97.51.0/24	mc-cs2	51	Mac labs in MC
129.97.173.64/26	mc-cs2	424	ugsters, allows ssh, RDP, ident; allows wireless

infrastructure general-purpose networks

tbd

Topic revision: r7 - 2024-10-30 - MariHassanzada

Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.

Other Webs

My links
- People
- CERAS
- WatForm
- Tetherless lab
- Ubuntu Main.HowTo
- eDocs
- RGG NE notes
- RGG
- CS infrastructure
- Grad images

Edit