ACL for Incoming Traffic

Last changed: 2024-07-08

There is a firewall that blocks incoming traffic to the NREC instances and infrastructure. This is done to protect our users and their services running on NREC.

Some ports are completely blocked, meaning that traffic to those ports are not allowed from anywhere. For other ports, traffic from IP addresses belonging to Norwegian universities and colleges are allowed, and blocked from anywhere else.

Completely Blocked Ports

The following ports are completely blocked:

Port

Protocol

Service

Comment

23

All

telnet

Telnet is an unencrypted remote login service that should never be used. Use an encrypted service such as SSH instead

111

All

portmapper

The portmapper protocol is mostly used for NFS versions 2 and 3. It is vulnerable to DDoS attacks and should not be exposed to the internet

139

All

netbios-ssn

This port is used for SMB/CIFS services. Exposing SMB from NREC to the outside presents a wealth of security concerns

445

All

microsoft-ds

This port is used for SMB/CIFS services. Exposing SMB from NREC to the outside presents a wealth of security concerns

2049

All

nfs

Exposing NFS from NREC to the outside presents a lot of security concerns

Allowed only from Norwegian Universities and Colleges

The following ports are blocked, except from Norwegian universities and colleges.

Port

Protocol

Service

Comment

25

All

SMTP

Port used by mail servers. If not managed with great care, mail servers are easily exploited

53

All

Domain Name Service (DNS)

There are very few reasons why one would want to run DNS servers in NREC. An incorrectly configured DNS service could disrupt other services running on NREC

1186

All

MySQL Cluster

Database ports should never be open on the internet

1433

All

Microsoft SQL Server

Database ports should never be open on the internet

1434

All

Microsoft SQL Monitor

Database ports should never be open on the internet

3128

All

Squid Web Proxy

An exposed Squid service is a security concern and should not exist in NREC

3306

All

MySQL

Database ports should never be open on the internet

3389

All

RDP

Port used to grant graphical login access to Windows servers. Easily exploitable if the server is not patched aggressively

5432

All

PostgreSQL

Database ports should never be open on the internet

5900

All

VNC

Port used for VNC, which is easy to set up wrong and should not be exposed on the internet

6379

TCP

Redis noSQL database

Database ports should never be open on the internet

8080

All

“Configuration Port”

Port used by various web services (e.g. Tomcat) for configuration and admin access. Should not be open to the whole internet

8443

All

“Configuration Port”

Port used by various web services for configuration and admin access. Should not be open to the whole internet

9200

TCP

Elastisearch

The default port used by Elasticsearch for requests

27017

TCP

MongoDB noSQL database

Database ports should never be open on the internet