CS network ACL summary
work in progress -- please send comments to trg
We've requested a summary (with regular ongoing updates and maintenance) of the ACLs applied to our networks by the constituency routers for our area. See our ST#90052, which refers to the IST RT UW-RT #302304
(which you probably won't be able to read). These are both stalled indefinitely (as of 2014-2-28).
In the interim, here is an informal and likely incomplete summary:
client networks
- outbound unrestricted
- off-campus inbound restricted, other that stateful return traffic
- networks affected:
IP adresses |
Router | Vlan |
|---|---|---|
| 129.97.84.0/24 | dc-cs2 | 84 |
| 129.97.168.0/24 | dc-cs2 | 168 |
| 129.97.169.0/24 | dc-cs2 | 169 |
| 129.97.170.0/23 | dc-cs2 | 170 |
Each of the above networks is restricted to "outbound" traffic only, with a couple of exceptions. The ACL is stateful with respect to established TCP connections -- ie the traffic that comes back as the result of an outbound TCP connection is allowed. The exceptions which allow inbound traffic are for:
- ssh
- RDP
- ident
infrastructure LOM/IPMI networks
- outbound unrestricted (notwithstanding private IP limitations)
- off-campus inbound restricted
- intra-campus inbound restricted
- networks affected:
| IP adresses |
Router | Vlan |
|---|---|---|
| 10.0.152.0/24 | dc-cs2 | 525 |
| 10.0.153.0/24 | cs-rt-dc-2303a | 525 |
| 10.0.154.0/24 | cs-rt-mc-3015a | 525 |
| 10.0.155.0/24 | cs-rt-m3-3101 | 525 |
| 10.15.2.0/24 | dc-cs2 | 802 |
| 10.15.3.0/24 | mc-cs2 | 806 |
| 10.15.16.0/24 | dc-cs2 | 816 |
| 10.15.18.0/24 | dc-cs2 | 812 |
| 10.15.28.0/24 | mc-cs2 | 810 |
Each of the above networks can be reached only from the following networks/hosts:
| IP adresses |
Comment |
|---|---|
| 10.15.152.4/0.0.0.0 | eventual new cscf.cs.uwaterloo.ca |
| 129.97.15.0/24 | cscf network |
| 172.19.4.229/32 | cscf.cs.uwaterloo.ca single host |
research LOM/IPMI
- tbd
teaching-lab networks
- outbound unstricted
- off-campus inbound restricted (except for stateful TCP)
- some intra-campus inbound restricted, eg wireless and ResNet unless otherwise noted
| IP adresses |
Router | Vlan | Comment |
|---|---|---|---|
| 129.97.51.0/24 | mc-cs2 | 51 | Mac labs in MC |
| 129.97.173.64/26 | mc-cs2 | 424 | ugsters, allows ssh, RDP, ident; allows wireless |
infrastructure general-purpose networks
tbd
- CF Web
- CF Web Home
- Changes
- Index
- Search
- Administration
- Communication
- Hardware
- HelpDeskGuide
- Infrastructure
- InternalProjects
- Linux
- MachineNotes
- Macintosh
- Management
- Networking
- Printing
- Research
- Security
- Software
- Solaris
- StaffStuff
- TaskGroups
- TermGoals
- Teaching
- UserSupport
- Vendors
- Windows
- XHier
- Other Webs
- My links
 |
|
Copyright © 2008-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback