Restricting access to the FI MU network
Access to the faculty network is restricted to increase its security. Basically, three basic access groups can be considered (with increasing credibility and a number of accessible services):
- from the Internet
- from the university network: from addresses in the domain
muni.cz, that is, from address ranges
- from the faculty network: from addresses in the domain
fi.muni.cz, that is, from address ranges
You can access the university network by using a university VPN. You can access the faculty network using SSH tunnels (see below; using university VPN is not enough). Private Networks (
172.20.0.0/12 ) are routed and available only within the FI network.
FI network is segmented and firewall controlled usually at the boundaries given for IPv4 C blocks (
147.251.n.0/24 ) and for IPv6 on the mask border
2001:718:801:2nn::/64 ). Generally, all privileged ports of all machines are blocked.
For any requests for changes to the Faculty Firewall, please contact
Examples of service availability
Available from outside:
- SSH, IMAP (S), POP3 (S) on Aisu and Anxura
- SMTP with forced authentication on
Available only from MU network:
Available only from FI (or parts thereof):
SSH on ports 80, 443
If your ISP blocks communication on port 22 for FI employees (and others with access to Anxura ) we provide connectivity via port 80 and 443:
ssh -p 80 email@example.com
Tunneling through SSH
If you need to connect to a service that is available only from the faculty or university network, you can use the options provided by SSH: SOCKS proxy, port forwarding, jump hosts . See, for example, the documentation ArchLinux or Gentoo for description of use.
For this purpose, for example Aisy . Brief samples:
# port forwarding home$ ssh -L 13306:db.fi.muni.cz:3306 firstname.lastname@example.org home$ mysql -h localhost -p 13306 -u login -p # jump hosts home$ ssh -J email@example.com login@nymfeNN.fi.muni.cz
Block IP addresses
In order to protect the services provided by the FI MU network, attempts to access the forbidden ports of prohibited or nonexistent machines are monitored. If a machine repeatedly accesses banned ports of banned machines, its behavior is evaluated as an attempted unauthorized intrusion into the FI MU network and access from that machine to the FI MU network (including access to IS MU) is completely blocked, usually for 24 hours. On the other hand, in case of repeated incidents, the blocking is permanent.
Another system of blocking and blacklisting is also operated at university level.
What to do in case of blocking
If you think it is your address blocked, get inspired IS instructions to find out the technical details. You can verify the blocking of your IP address on the faculty firewall in the application IP blacklist in the Faculty Administration.
You can request the cancellation of the blocking administrator , who can end the blocking prematurely after assessing the circumstances.