Translated using DeepL

Machine-translated page for increased accessibility for English questioners.

Restrictions on access to the FI MU network

Access to the faculty network is restricted to increase its security. Simplistically, three basic groups of access can be considered (with increasing trustworthiness and number of accessible services):

  • from the Internet
  • from the university network: from addresses in the domain muni.cz, i.e. from the address ranges 147.251.0.0/16 or 2001:718:801::/48
  • from the faculty network: from addresses in the domain fi.muni.cz, i.e. from the address ranges 147.251.42–53.0/24, 147.251.58.0/24, 172.16.0.0/12 or 2001:718:801:200::/56

The university network level can be accessed by using the university VPN. The faculty network level can be accessed by using the faculty VPN (or university VPN) or by using SSH tunnels (see below; using the university VPN is not sufficient) or see also remote access to services in general. Private networks ( 172.20.0.0/12) are routed and available only within the FI network.

The FI network is segmented and firewall-controlled, typically at the boundaries given for IPv4 by C blocks ( 147.251.n.0/24) and for IPv6 by the boundaries of the /64mask ( 2001:718:801:2nn::/64). In general, all privileged ports of all machines are blocked.

For any change requests on the faculty firewall, contact unix@fi.muni.cz.

Examples of service availability

Externally available:

  • SSH, IMAP(S), POP3(S) on Aisu and Anxura
  • SMTP with forced authentication on relay.fi.muni.cz

Available from MU network only:

Available only from the FI network (or part of it):

SSH on ports 80, 443

Should your ISP block communication on port 22, we provide the option for FI employees (and others with access to Anxura) to connect via both port 80 and 443:

home$ ssh -p 80 login@anxur-ssh.fi.muni.cz

SSH tunneling

If you need to connect to a service that is only accessible from a faculty or university network, you can use the options provided by SSH: SOCKS proxy, port forwarding, jump hosts. See, for example, the ArchLinux or Gentoo documentation for a description of how to use it.

For example, Aisy can be used for this purpose. Brief examples:

# port forwarding
home$ ssh -L 13306:db.fi.muni.cz:3306 login@aisa.fi.muni.cz
home$ mysql -h localhost -p 13306 -u login -p

# jump hosts
home$ ssh -J login@aisa.fi.muni.cz login@nymfeNN.fi.muni.cz

Blocking IP addresses

In order to protect the services provided by FI MU networks, attempts to access forbidden ports of forbidden or non-existent machines are monitored. If a machine repeatedly accesses forbidden ports of forbidden machines, its behaviour is evaluated as an attempt to trespass into the FI MU network and access from this machine to the FI MU network (including access to the IS MU) is completely blocked, usually for 24 hours. In the case of repeated incidents, a permanent block is implemented.

Another system of blocking and blacklisting is then also operated at the university level.

How to proceed in the event of a block

If you think your address is being blocked, take inspiration from the IS guidance to find out the technical details. You can check the blocking of your IP address on the faculty firewall in the IP blacklist application in the Faculty Administration. You can check for any flat unavailability of services on the FI side at FI Status.

You can request that the block be lifted by asking the administrators, who may terminate the block early after reviewing the circumstances. Always include your external IP address in your unblock request.