Restriction of access to the FI MU network
Access to the faculty network is limited to increase its security. In simple terms, three basic access groups can be considered (with increasing credibility and a number of accessible services):
- from the Internet
- from the university network: from addresses in the domain
muni.cz, that is, from address ranges
- from the faculty network: from addresses in the domain
fi.muni.cz, that is, from address ranges
The university network can be reached using a university VPN. The level of the faculty network can be reached using
faculty VPN (or university VPN) or using SSH tunnels (see below; using a university VPN is not enough) or see also in general
remote access to services . Private networks (
172.20.0.0/12 ) are routed and only available within the FI network.
The FI network is segmented and controlled by the firewall, usually at the boundaries set for IPv4 blocks C (
147.251.n.0/24 ) and for IPv6 at mask boundaries
2001:718:801:2nn::/64 ). In general, all privileged ports of all machines are blocked.
For any requests for changes to the faculty firewall, contact
Examples of service availability
Available from outside:
- SSH, IMAP (S), POP3 (S) on Aisa and Anxura
- SMTP with forced authentication on
Available only from the MU network:
Available only from the FI network (or parts thereof):
SSH on ports 80, 443
If your ISP blocks communication on port 22, for FI employees (and others with access to Anxura ) we provide the possibility of connection via port 80 and 443:
home$ ssh -p 80 email@example.com
Tunneling via SSH
If you need to connect to a service that is only available from the faculty or university network, you can use the options provided by SSH: SOCKS proxy, port forwarding, jump hosts . See, for example, the documentation ArchLinux or Gentoo for a description of use.
For these purposes, for example, can be used Aisy . Brief examples:
# port forwarding home$ ssh -L 13306:db.fi.muni.cz:3306 firstname.lastname@example.org home$ mysql -h localhost -p 13306 -u login -p # jump hosts home$ ssh -J email@example.com login@nymfeNN.fi.muni.cz
IP address blocking
Due to the protection of services provided by the FI MU network, attempts to access banned ports of banned or non-existent machines are monitored. If a machine repeatedly accesses forbidden ports of forbidden machines, its behavior is evaluated as an attempt to intrude into the FI MU network and access from this machine to the FI MU network (including access to IS MU) is completely blocked, usually for 24 hours. In repeated incidents, on the other hand, permanent blocking is performed.
Another blocking and blacklisting system is then also operated at the university level.
How to proceed in case of blockage
If you think so your address blocked, get inspired IS instructions to find out the technical details. You can verify the blocking of your IP address on the faculty firewall in the application IP blacklist in the Faculty Administration. It is possible to verify possible unavailability of services on the FI side at Status FI .
Unblocking can be requested administrator who may terminate the blocking prematurely after assessing the circumstances. Always include your address in the address unblocking request external IP address .