translated by Google

Machine-translated page for increased accessibility for English questioners.

Restriction of access to the FI MU network

Access to the faculty network is limited to increase its security. In simple terms, three basic groups of access can be considered (with increasing credibility and a number of accessible services):

  • from the Internet
  • from the university network: from addresses in the domain muni.cz , that is, from address ranges 147.251.0.0/16 or 2001:718:801::/48
  • from the faculty network: from addresses in the domain fi.muni.cz , that is, from address ranges 147.251.42–53.0/24 , 147.251.58.0/24 , 172.16.0.0/12 or 2001:718:801:200::/56

The university network can be reached using a university VPN. The level of the faculty network can be reached using faculty VPN (or university VPN) or using SSH tunnels (see below; using a university VPN is not enough). Private networks ( 172.20.0.0/12 ) are routed and available only within the FI network.

The FI network is segmented and controlled by the firewall, usually at the boundaries set for IPv4 blocks C ( 147.251.n.0/24 ) and for IPv6 at mask boundaries /64 ( 2001:718:801:2nn::/64 ). In general, all privileged ports of all machines are blocked.

For any requests for changes to the faculty firewall, contact unix@fi.muni.cz .

Examples of service availability

Available from outside:

  • SSH, IMAP (S), POP3 (S) on Aisa and Anxura
  • SMTP with forced authentication on relay.fi.muni.cz

Available only from the MU network:

Available only from the FI network (or part of it):

SSH on ports 80, 443

If your ISP blocks communication on port 22, for FI employees (and others with access to Anxura ) we provide the possibility of connection via port 80 and 443:

home$ ssh -p 80 login@anxur-ssh.fi.muni.cz

Tunneling via SSH

If you need to connect to a service that is only available from the faculty or university network, you can use the options provided by SSH: SOCKS proxy, port forwarding, jump hosts . See, for example, the documentation ArchLinux or Gentoo for a description of use.

For these purposes, for example, can be used Aisy . Brief examples:

# port forwarding
home$ ssh -L 13306:db.fi.muni.cz:3306 login@aisa.fi.muni.cz
home$ mysql -h localhost -p 13306 -u login -p

# jump hosts
home$ ssh -J login@aisa.fi.muni.cz login@nymfeNN.fi.muni.cz

IP address blocking

Due to the protection of services provided by the FI MU network, attempts to access banned ports of banned or non-existent machines are monitored. If a machine repeatedly accesses forbidden ports of forbidden machines, its behavior is evaluated as an attempt to intrude into the FI MU network and access from this machine to the FI MU network (including access to the IS MU) is completely blocked, usually for 24 hours. In repeated incidents, on the other hand, permanent blocking is performed.

Another blocking and blacklisting system is then also operated at the university level.

How to proceed in case of blockage

If you think so your address blocked, get inspired IS instructions to find out the technical details. You can verify the blocking of your IP address on the faculty firewall in the application IP blacklist in the Faculty Administration.

Unblocking can be requested administrator who may terminate the blocking prematurely after assessing the circumstances.