CSNetworkACL < CF

CF Web>Networking>CSNetworkACL (2024-10-30, MariHassanzada) (raw view)
---+CS network ACL summary (THIS PAGE NEEDS UPDATING)

---
work in progress -- please send comments to trg
---

%TOC%

We've requested a summary (with regular ongoing updates and maintenance) of the ACLs applied to our networks by the constituency routers for our area.  See our [[https://cs.uwaterloo.ca/cscf/internal/request_debug/UpdateRequest?90052][ST#90052]], which refers to the IST RT [[https://rt.uwaterloo.ca/Ticket/Display.html?id=302304][UW-RT #302304]] (which you probably won't be able to read).  These are both stalled indefinitely (as of 2014-2-28).

In the interim, here is an informal and likely incomplete summary: 

---++ client networks 
   * outbound unrestricted 
   * off-campus inbound restricted, other that stateful return traffic
   * networks affected:

%TABLE{ headerrows="1" sort="on"  initsort="1" initdirection="down" }%
| *IP adresses* | *Router* | *Vlan* |
| 129.97.84.0/24 | dc-cs2 | 84 |
| 129.97.168.0/24 | dc-cs2 | 168 |
| 129.97.169.0/24 | dc-cs2 | 169 |
| 129.97.170.0/23 | dc-cs2 | 170 |

Each of the above networks is restricted to "outbound" traffic only, with a couple of exceptions.  The ACL is stateful with respect to established TCP connections -- ie the traffic that comes back as the result of an outbound TCP connection is allowed.  The exceptions which allow inbound traffic are for:
   * ssh
   * RDP
   * ident
For details, see the dc-cs2 configuration definition of the ACL set "170_client-untrust"

---++ infrastructure LOM/IPMI networks 
   * outbound unrestricted (notwithstanding private IP limitations)
   * off-campus inbound restricted
   * intra-campus inbound restricted
   * networks affected:

%TABLE{ headerrows="1" sort="on"  initsort="1" initdirection="down" }%
| *IP adresses* | *Router* | *Vlan* |
| 10.15.2.0/24 | dc-cs2 | 802 |
| 10.15.3.0/24 | mc-cs2 | 806 |
| 10.15.16.0/24 | dc-cs2 | 816 |
| 10.15.18.0/24 | dc-cs2 | 812 |
| 10.15.28.0/24 | mc-cs2 | 810 |
| 10.0.152.0/24 | dc-cs2 | 525 |
| 10.0.153.0/24 | cs-rt-dc-2303a | 525 |
| 10.0.154.0/24 | cs-rt-mc-3015a | 525 |
| 10.0.155.0/24 | cs-rt-m3-3101 | 525 |

Each of the above networks can be reached only from the following networks/hosts:

%TABLE{ headerrows="1" sort="on"  initsort="1" initdirection="down" }%
| *IP adresses* | *Comment* | 
| 129.97.15.0/24   | CSCF network |
| 172.19.15.0/24   | CSCF trusted UW-Intranet network -- not implement yet at of 2014-3-6  |
| 172.19.4.229/32 | Host: cscf.cs.uwaterloo.ca  |
| 10.15.152.4/32   | Host: asgard.cscf.uwaterloo.ca | 


---++ research LOM/IPMI
As at 2014-3-6, there is one dedicated research  LOM network, namely 172.19.96.0/24.  It is completely unrestricted.  It it proposed to expand this to three separate network, as follows:

%TABLE{ headerrows="1" }%
| *Network* | *vlan* | *Comment* || 
| 172.19.96.0/24 | 1896 | existing network, unrestricted access ||
| 172.19.97.0/24 | 1894 | high-restricted LOMs, just from vlan 15 and cscf.cs.uwaterloo.ca; same as the infrastructure LOMs ||
| 172.19.98.0/24 | 1895 | moderately-restricted, allows various client networks within CS, as follows: ||
| ^ | ^ | 129.97.7.0/24 | research servers  |
| ^ | ^ | 129.97.15.0/24 | CSCF staff network |
| ^ | ^ | 129.97.26.0/24 | research servers  |
| ^ | ^ | 129.97.84.0/24 | client workstations |
| ^ | ^ | 129.97.105.0/24 | Shoshin research group |
| ^ | ^ | 129.97.114.0/24 | CGL research group  |
| ^ | ^ | 129.97.167.128/25 | CS public servers (contains linux.cs) (vlan dc:421) |
| ^ | ^ | 129.97.168.0/24 | client workstations  |
| ^ | ^ | 129.97.169.0/24 | client workstations  |
| ^ | ^ | 129.97.170.0/23 | client workstations  |
| ^ | ^ | 129.97.173.192/26 | CSG research group (vlan dc:1732) |
| ^ | ^ | 129.97.186.0/24 | PLG research group  |
| ^ | ^ | 172.19.15.0/24 | CSCF Staff network -- future |



---++ teaching-lab networks
   * outbound unstricted
   * off-campus inbound restricted (except for stateful TCP)
   * some intra-campus inbound restricted, eg wireless and ResNet unless otherwise noted

%TABLE{ headerrows="1" sort="on"  initsort="1" initdirection="down" }%
| *IP adresses* | *Router* | *Vlan* | *Comment* |
| 129.97.51.0/24 | mc-cs2 | 51 | Mac labs in MC |
| 129.97.173.64/26 | mc-cs2 | 424 | ugsters, allows ssh, RDP, ident; allows wireless |


---++ infrastructure general-purpose networks

---++ tbd
Topic revision: r7 - 2024-10-30 - MariHassanzada
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
Other Webs
My links
- People
- CERAS
- WatForm
- Tetherless lab
- Ubuntu Main.HowTo
- eDocs
- RGG NE notes
- RGG
- CS infrastructure
- Grad images
Edit