ACL for Incoming Traffic

Last changed: 2022-12-02

There is a firewall that blocks incoming traffic to the NREC instances and infrastructure. This is done to protect our users and their services running on NREC.

Some ports are completely blocked, meaning that traffic to those ports are not allowed from anywhere. For other ports, traffic from IP addresses belonging to Norwegian universities and colleges are allowed, and blocked from anywhere else.

Completely Blocked Ports

The following ports are completely blocked:

Port Protocol Service Comment
23 All telnet Telnet is an unencrypted remote login service that should never be used. Use an encrypted service such as SSH instead
111 All portmapper The portmapper protocol is mostly used for NFS versions 2 and 3. It is vulnerable to DDoS attacks and should not be exposed to the internet
139 All netbios-ssn This port is used for SMB/CIFS services. Exposing SMB from NREC to the outside presents a wealth of security concerns
445 All microsoft-ds This port is used for SMB/CIFS services. Exposing SMB from NREC to the outside presents a wealth of security concerns
2049 All nfs Exposing NFS from NREC to the outside presents a lot of security concerns

Allowed only from Norwegian Universities and Colleges

The following ports are blocked, except from Norwegian universities and colleges.

Port Protocol Service Comment
25 All SMTP Port used by mail servers. If not managed with great care, mail servers are easily exploited
53 All Domain Name Service (DNS) There are very few reasons why one would want to run DNS servers in NREC. An incorrectly configured DNS service could disrupt other services running on NREC
1186 All MySQL Cluster Database ports should never be open on the internet
1433 All Microsoft SQL Server Database ports should never be open on the internet
1434 All Microsoft SQL Monitor Database ports should never be open on the internet
3128 All Squid Web Proxy An exposed Squid service is a security concern and should not exist in NREC
3306 All MySQL Database ports should never be open on the internet
3389 All RDP Port used to grant graphical login access to Windows servers. Easily exploitable if the server is not patched aggressively
5432 All PostgreSQL Database ports should never be open on the internet
5900 All VNC Port used for VNC, which is easy to set up wrong and should not be exposed on the internet
6379 TCP Redis noSQL database Database ports should never be open on the internet
8080 All “Configuration Port” Port used by various web services (e.g. Tomcat) for configuration and admin access. Should not be open to the whole internet
8443 All “Configuration Port” Port used by various web services for configuration and admin access. Should not be open to the whole internet
9200 TCP Elastisearch The default port used by Elasticsearch for requests
27017 TCP MongoDB noSQL database Database ports should never be open on the internet