translated by Google

Machine-translated page for increased accessibility for English questioners.

Restricting access to the FI MU network

Access to the faculty network is restricted to increase its security. Basically, three basic access groups can be considered (with increasing credibility and a number of accessible services):

  • from the Internet
  • from the university network: from addresses in the domain muni.cz , that is, from address ranges 147.251.0.0/16 or 2001:718:801::/48
  • from the faculty network: from addresses in the domain fi.muni.cz , that is, from address ranges 147.251.42–53.0/24 , 147.251.58.0/24 , 172.16.0.0/12 or 2001:718:801:200::/56

You can access the university network by using a university VPN. You can access the faculty network using SSH tunnels (see below; using university VPN is not enough). Private Networks ( 172.20.0.0/12 ) are routed and available only within the FI network.

FI network is segmented and firewall controlled usually at the boundaries given for IPv4 C blocks ( 147.251.n.0/24 ) and for IPv6 on the mask border /64 ( 2001:718:801:2nn::/64 ). Generally, all privileged ports of all machines are blocked.

For any requests for changes to the Faculty Firewall, please contact unix@fi.muni.cz .

Examples of service availability

Available from outside:

  • SSH, IMAP (S), POP3 (S) on Aisu and Anxura
  • SMTP with forced authentication on relay.fi.muni.cz

Available only from MU network:

Available only from FI (or parts thereof):

SSH on ports 80, 443

If your ISP blocks communication on port 22 for FI employees (and others with access to Anxura ) we provide connectivity via port 80 and 443:

ssh -p 80 login@anxur-ssh.fi.muni.cz

Tunneling through SSH

If you need to connect to a service that is available only from the faculty or university network, you can use the options provided by SSH: SOCKS proxy, port forwarding, jump hosts . See, for example, the documentation ArchLinux or Gentoo for description of use.

For this purpose, for example Aisy . Brief samples:

# port forwarding
home$ ssh -L 13306:db.fi.muni.cz:3306 login@aisa.fi.muni.cz
home$ mysql -h localhost -p 13306 -u login -p

# jump hosts
home$ ssh -J login@aisa.fi.muni.cz login@nymfeNN.fi.muni.cz

Block IP addresses

In order to protect the services provided by the FI MU network, attempts to access the forbidden ports of prohibited or nonexistent machines are monitored. If a machine repeatedly accesses banned ports of banned machines, its behavior is evaluated as an attempted unauthorized intrusion into the FI MU network and access from that machine to the FI MU network (including access to IS MU) is completely blocked, usually for 24 hours. On the other hand, in case of repeated incidents, the blocking is permanent.

Another system of blocking and blacklisting is also operated at university level.

What to do in case of blocking

If you think it is your address blocked, get inspired IS instructions to find out the technical details. You can verify the blocking of your IP address on the faculty firewall in the application IP blacklist in the Faculty Administration.

You can request the cancellation of the blocking administrator , who can end the blocking prematurely after assessing the circumstances.