Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Packet Filter On University Network 36

sachsmachine explains: "I'm a student at a major university where the network admins are thinking of moving to a packet filtering system, one that would block non-university computers from connecting to machines on the student subnets. There will be a meeting to discuss the proposal on Tuesday, but to be fully prepared going in, I'd like to be sure what impacts the move would have. Some of the things that might be broken (depending on what ports get left open) are pretty clear -- remote logins of various sorts, file sharing, Web sharing, instant messaging, Napster and everything else P2P -- but are there any important/unusual/cool/academically useful applications whose ports we should lobby to protect?" By the nature of university (and corporate) rule making, once a policy is in place, it's much harder to dislodge or amend than it might be beforehand. Steve has listed a fair number of applications which could be tossed out by this; how would you suggest saving university bandwidth without losing them all? How would you convince a skeptical audience that remote access is not all of a piece?
This discussion has been archived. No new comments can be posted.

Packet Filter On University Network

Comments Filter:
  • by Anonymous Coward
    For every school I've seen, each student gets their own space for HTML content and many let the student with lots of CGI and/or Java access.

    Oooh, 4 whole megabytes! The pictures of my friends could take up more than that.

    No CGI. No direct access either, ftp is the only way. And that works only if your ISP has DNS set up correctly (which they should anyway, but...). And the policies say "personal homepages only", I guess I can't mention my web design business. And if you make a great personal site that people will actually want to see, you'll get access revoked due to bandwidth usage.

    And, of course, you're missing the possibility of other services. Universty email isn't always sufficient ("What? I can't recieve that patch because the university truncates large attachments?"). Student ftp is rare and cvs is nonexistant, if you want that kind of thing. Databases are unlikely. ssh is impossible when you're off-campus for the weekend or on a job/project. Many irc networks require an identd response, can't get that with no connections. Basically any userland P2P would be broken.

    Maybe this is ok for the "normal" people who only use their computers for LookOut and Internet Exploiter, but a good number of us aren't "normal" in that way. It's not a smart move, it's a cheap-and-easy copout.

  • The blocking is done on student subnets. That means anything you wish to post must be on a machine admin'd by the University. If what you are posting is worthwhile - this should be no problem. For every school I've seen, each student gets their own space for HTML content and many let the student with lots of CGI and/or Java access.

    This is a smart move by the Universtity to keep their network under some control.

  • I would say more power to 'em if they got that to work. Then you'd start getting into a nice little cat-mouse chase (hopefully) between the true hackers and the "hey can I copy your code" people?
  • Oooh, 4 whole megabytes! The pictures of my friends could take up more than that.
    That's what hosting companies are for. Schools are in not the business for hosting your web site.

    And the policies say "personal homepages only", I guess I can't mention my web design business.
    Go ahead and mention it. But don't expect the school (and possible taxpayer money) to pay for you network admin/bacndwidth needs to support your business. If you are hosting something worthy - the University should be able to make an exception. Or maybe someone else will notice its worthiness and host it for you.

    What? I can't recieve that patch because the university truncates large attachments
    If someone is sending something that big - shouldn't it be hosted somewhere? If that someone is on campus - they could still host their own ftp server for you to see.

    Databases are unlikely
    Most people don't let their database bases open for connections from anywhere. Your student subnet should be plenty.

    ssh is impossible when you're off-campus for the weekend or on a job/project
    With that net setup - you should be able to SSH out - not in, no problem there.

  • check out www.packeteer.com [packeteer.com].
    Very very cool box for bandwidth management...
  • The problem with this is a matter of the money. At my school (UIUC), residence hall users are limited to 500MB total traffic per day. They're working on a process to implement a sliding-scale bandwidth limiter, but when you've already got something in excess of 50,000 currently allocated IP addresses, it's not too easy. Plus, we're also the local POP for most of the regions ISPs, with the exception of the DSL folks and @Home.

    One of our netadmins ran the budget analysis, and for unlimited access, every dorm resident would need to fork over $150/year above and beyond current housing rates (~$5600/yr). That's assuming everyone pays. Figuring an average of one computer per dorm room, that amount nearly doubles.

    As it was, at peak times, Napster alone was accounting for over 60% of outbound traffic on our commodity links (non-Internet2).
  • it would be easier to convince network admins to let http through. ftp is a bitch to firewall properly, since in normal mode it opens a connection back to the client. If i remember right, though, passive mode makes a firewall around the server a pain.

    in addition to all that complexity, a lot of linux distros, particularly when the it's not the most recent version, come with massively vulnerable ftp daemons. if somebody manages a root shell, then the firewall doesn't offer any protection anyway. just bandwidth limitation. and who wants rooted boxes on their network anyway?

  • My university implemented a hard nosed firewall late last semester. At the time, I had all my e-mail redirected to my qmail server in my room. I wondered why I hadn't gotten any e-mail in a few days, so I had a friend of mine connect to my server to try and check it out... Connection Refused was the reply. Slowly, I realized why we had a half hour network hiccup a few days earlier. They had put a firewall between me and the outside world.

    I did a little bit of testing of the firewall. A portscan from an outside system showed that all 65535 TCP ports were filtered. Great. I now have trouble connecting to things like IRC (can't connect to EFnet at all, because they REQUIRE an ident response). I finally found a way to redirect my campus mail box to my server. I can SSH into my box by hopping through the CS server. That's really all I need. I'm currently talking to administration about getting those three ports opened up, but I haven't heard anything for a couple of weeks now. We shall see what happens.
  • Yeah, but when some non-technically-knowledgeable student's computer is taken out by an attack that would have been blocked by the firewall, they and their parents will try to hold the university responsible. "You knew this could happen, why didn't you protect me?" The only way to cover their asses is to protect everything or nothing, and nothing is an awful option.

  • Sounds interesting, but here at UK we run into a situation where a cable modem is in a dorm room with four RJ-45 jacks, let's say my luser roommate (true story) is still paying aol 9.95/mo on the bring your own access plan and I want to run a fat apache/MySQL box so I can learn how to admin a machine. Unfortunately, the whole damned campus is dynamically IPed, your solution wouldn't work out in this case, or we would have to move approx 4000 addresses to static and have more tech support calls because the lusers tinker with their network settings.
  • For State-run Universities, it is generally, either thru AUPs or State Law, to use State facilities, that is servers, for explicitly Political speech, i.e. Vote for X.

    Since the Ubiversity has a monopoly on connectivity in residence halls, that is Students' homes, the bandwidth is arguably more apt than the servers to qualify as a Public Forum, and thus should be open to Students' own webservers.

  • What if they want to connect to thier computer in thier dorm room though? Myself (not in a dorm however) have a server running where I can save my data from school to (via ftp I might add) and then when I get home I have easy access to the files, this beats carrying around disks or any other type of storage media.

    I also can connect back to my server to grab the data anywhere I have a internet connection, so it doesn't matter where I am, I can get at it.
  • Well, you could've invited the volunteer organization to campus and demoed the PHP/MySQL combo from a University Lab that could connect to your dorm room. Or, you could visit them and dial in to your campus. And the academic usefulness of this is still not answered.
  • I have heard of Passive mode. The moron installing and selling firewalls had not.
  • If the students have CGI access, then there is little preventing them from running a port-forwarding doohicky to bypass the whole filter. Of course that might result in a little visit from your pointy-headed tech.
  • I attend a university where all computers on the student subnet (dorms and on-campus apartments) are located behind a firewall. Although the firewall blocks direct access to all ports, almost all services are availible throught the socks5 protocol. The downside is that you can run a publically accessable server since it can't be seen from the outside.

  • Plus, we're also the local POP for most of the regions ISPs

    Sounds like UIUC should be giving that bandwidth to the students instead of reselling it. I'm horrified to hear there's a public university using tax money to compete with commercial providers of ISP POPs.

  • I would suggest two tactics.

    First, point out that there are legitimate, academics-enhancing usages of an unrestricted LAN -- i.e. things other than Napster. I keep an FTP and VNC server running on my computer -- well locked down, of course -- so that I can access files and resources on my computer when I'm in a lab or something. Given that university computers don't generally have a CD-RW drive and many files are too big for floppies these days, it is a great help. Furthermore, if you are working on a networked academic project -- which is just going to increase in the comming years -- it is extremely useful to not have to wory about it being locked down. And them just filtering from the public Internet isn't going to help, as that will prevent anybody who doesn't live on campus from aiding development of networked projects.

    The second prong is more legal and philisophical. You want them to make sure that they are not going to be acting like your personal monitor. This destroys student academic freedom and exposes them to a lot of liability. Once they start blocking incomming connections, the route to first blocking porn sites, then "Objectionable" sites, and then you get the picture after that.
  • It is interesting that given these constraints, Gnutella file sharing clients will still work. You will be able to make outgoing requests (and you can use any port) which is all that the protocol needs. Others will be able to download from you by pushing a request to you and having you open the outgoing connection. This is all built in to the Gnutella clients.

    These types of actions will however degrade the Gnutella network if everyone adopts them. To some extent, there is a slight shortage of available "Incoming" connections. The network relies on those able to accept incoming connections to do so rather than make outgoing ones. Both types of connections work the same regardless. See Gnutelliums [gnutelliums.com]

  • As a systems guy for a University, I know that announcements often come out several months before there is any implementation. My guess is that your school is going to follow the same path and have open meetings to discuss options. There is no way that a major school can shut off TCP ports 21-25 or 80 and 443. Those ports are the backbone of what many people consider the internet.

    It is advisable, however, to shut off some TCP ports, especially those over 10000, and to limit the number of UDP ports offered at all.

    Attend the meetings and find out what the central administration has in mind. Once you know where they are willing to draw the line, you can more easily negotiate opening more ports. Once the policy is written, however, it will be harder than hell to change.

  • If it is a public university, point out the stance Michigan and Wisconsin(Madison) have taken:

    Both have said that as public universities, they will not filter content, and if they need more bandwidth, then they will get it. (I assume, to a point)

    At my private university, the student government has a major role in the network (or can if it wants to) -- so if the suit behind the admins is making poor choices that aren't what the student body wants, chances aren't that slim that said suit will be looking for work. Our school actually passed a resolution to the effect that nothing can be done to the network which inhibits students ability to use the internet just as if they were using an ISP. (since the university is our ISP) -- since then, many of the filters and packet shapers have disappeared almost completely.

  • Sadly, though, my guess is that there aren't too many accademic reasons for putting a server in your dorm room instead of using a university managed server - other than to try to put up a server which doesn't fall under the normal AUP. Sure, it's a fun project and teaches a lot about administration - but it provides little academic gain that setting up a university-wide-only server would not.

    Certainly there are useful reasons. For example, I've got PHP and MySQL on my personal machine, whereas the standard university servers that I have access to do not. I was thus able to develop and demo a web application for a volunteer cause, show it to them, and make changes before obtaining the permanent box (outside of the university) that it'll run on.
    // mlc, user 16290

  • This is always a tricky one. I work as an admin in an engineering department of a british university. Much of the stem of these problems are due to the fact that when people have "unlimited" access to the network, they tend to use it in ways that stress the network to the limit, or go beyond the terms of acceptable use. One showcase in point occured recently within our department, when two PCs in one room were accounting for one quarter of the whole University bandwith!! Needless to say, the work was not academic - playstation CD images and MP3s. Several abuses of the kind have resulted in a set of new guidelines being introduced, which go as far as to say that machines should not be networked unless absolutely necessary, and that students are not allowed to admin machines any more.

    I don't know what the case is for American Universities, but nowadays in Britain, the Unis are coming under tighter and tighter financial restraints. Many universities probably don't mind too much about people using the available bandwidth in moderation, but these kind of abuses of the priviledge (and it is a priviledge to use to the Uni network for non-academic purposes), make it impossible to justify why free access should be given when there is no (financial) need for it -especially when cash-constricted departments are having to bear the cost of non academic browsing, without having money available to pay for it - which was less of a problem in the older days, when money was flowing more freely within the universities, and general network usage was lower.....

    Try to understand the awkward position that many of these universities are in in this respect. Often, it not necessarily the desire to curtail the usage of the network out of badness that is the problem, but external influences such as cost and protecting themselves from prosecution, which the Universities don't have to resources to meet.

  • I would deem those as essential services. A reasonable case can be built that students need NetMeeting to communicate with family members as an alternative to long distance telephone. This is especially important to foreign students who simply cannot afford the dollar/min or more to reach South America, Eastern Europe or Asia.
    Real life example: My brother's GF is Peruvian and regularly uses ICQ and NetMeeting to keep in touch with Lima from Canada. We spend 90 min on the webcam last New Year's eve; something impossible with a telephone. I dare not think how much that would've cost in LD charges.
  • There are three problems with this argument:

    • The students can still obtain bandwith at a private ISP, just like all other citizens. Even if the students can't use the dorm phone lines to connect to their private ISP (common in university-run phone systems), they can almost certainly still telnet/passive ftp into it via their broadband access.
    • Suppression of ALL political speech is generally considered more acceptable than suppression of SOME political speech, since there's no risk of favoritism. Students do have alternatives to their campus-run ISP.
    • The student's community, to a large extent, is the university itself. It sounds like this policy will still allow dorm-room servers to be set up, but they will only be visible from within the university.

    The university's actions will certainly impose a modest burden on the student's political speech, but it doesn't seem to be an unreasonable one.

  • The Univeristy won't consider these essential services if the University runs the dorm's telephone service (and, thus, makes a cut off of the long distance)...
  • Depending on how they set things up, it probably won't affect most things that are deemed "what normal people should do". ICQ and AIM will work fine, except generally for file transfers. You might also have trouble with voice-IP apps. Other than that, there are answers to most of the arguments that can be made, mostly, "you should be using university managed machines for that."

    What it will do is shut down most of the pirates, which is probably why their doing it, and napster.

    Most universities pay discounted rates for their net connections, but some of the stipulations are that it only be used for educational purposes, and maybe a bandwidth limit. Lots of incoming traffic to the student net most likely means stuff is going on that shouldn't be.

    Probably your only real argument will be simply that in a university environment, you shouldn't restrict stuff because of free expression, blah blah blah... oh, and "once you do this, where does it end?"
  • Yes, remember FTP.

    Four or five years ago the current employer decided to sell firewalls. They put one in place at work to test it out, and caused all FTP access from a browser to be broken for at least 3 months, made worse by our major supplier using FTP urls in their call logging system. (To download a file we had to browse the web source and manually grab the file by a command-line FTP client which worked vua the other method).

    The team responsible for selling these firewalls never managed to fix it. In the end one of my collegues got hold of the firewall password and fixed in in a few seconds. I think this team only managed to sell 3, and all of the cancelled the support contract within 6 months.

  • I am almost certain that the school's reason for doing this is bandwidth related. In order to let students do what they want and keep the network running smooth, use prioritization. University run systems are true-firewalled, while student machines are DMZed and are lower priority than University machines. See QoS/fair (unfair!) queing.

    The problem with capped Karma is it only goes down...
  • Everywhere I've seen (granted that comes to about 10 universities total) students are required to fill out a form acknowledging not to do anything particularly bad before they can plug in. This could be handled when they're picking their login ID (and if your school doesn't let people pick their own login IDs either, well, I guess we have nothing further to talk about. Hmph.).

    In any case, it could be done online with - get this - electronic forms. Cost pretty much approaches zero. The list of who goes where can be fed by a web app into the DHCP server. Likewise they get automatically dumped onto the mailing list. A machine runs nessus against the machines in the no-filter pool, dumps the results to a $9/hr work study student, who sifts through and picks out the ones with lots of red, which are handed to a $12/hr student consultant. This is a dirt-cheap project.

  • Well, first I would like to applaud the university for doing something, anything to help protect their students and departments. They might not be going about it exactly the right way, but they're trying.

    If they were trying to protect students, there would be a space on the dorm ethernet sign-up form that said:

    Would you like your system to be protected by our campus firewall? This will help prevent outsiders from breaking into your computer, but may also prevent you from running certain types of servers in your room. Students who answer "no" will be required to provide an email address that will be subscribed to our mailing list of vulnerabilities, and to repair these promptly. There will be spot checks of your computer systems using remote security analysis software, and if it is found that you have failed to address vulnerabilities or apply fixes as required, you will forfeit your connection for the remainder of the school year.

    Student machines would be tossed into one of two address pools depending on their answer.

    All they're trying to protect are their own behinds and budgets, at the expense of the students' learning environment.

  • by jmaslak ( 39422 ) on Monday February 19, 2001 @05:51AM (#420362)
    Outgoing FTP (connecting to an off-site server) causes the FTP server to initiate a connection back to you.

    While it is true that many firewalls have logic to allow this, simple packet filters do not and can not - you have to allow anything with a SOURCE port of 20 to connect to ANY high numbered port. But, this argument against packet filters only works if they really are using a packet filter - and not some sort of smart firewall.

    As far as a university denying connections, make sure that there is some way to gain exceptions to this policy, just in case there are accademic reasons for doing something down the road. For instance, they could require a proposal signed off by a department head, which indicates the academic value of opening the port and what precautions you are taking against abuse.

    Sadly, though, my guess is that there aren't too many accademic reasons for putting a server in your dorm room instead of using a university managed server - other than to try to put up a server which doesn't fall under the normal AUP. Sure, it's a fun project and teaches a lot about administration - but it provides little academic gain that setting up a university-wide-only server would not.

    Find out what their reasons for doing this are. Are they trying to reduce a security threat? Or is it really bandwidth? Make sure your argument addresses their - legitimate - concerns.
  • by Lish ( 95509 ) on Monday February 19, 2001 @09:40AM (#420363)
    Well, first I would like to applaud the university for doing something, anything to help protect their students and departments. They might not be going about it exactly the right way, but they're trying.

    To make an assessment of how you should approach them, you need to know what their motivation is for doing the packet filtering. Is it for security? Is it to limit bandwidth consumption for nonacademic purposes? Is it to stop piracy? Knowing their reasons will help you make your arguments for allowing those services you want.

    Now, if it's being done for security reasons, you'll have to argue that the services you want to keep open don't provide a security threat. Maybe get some statistics on number of attacks that utilize the different ports you're after.

    If piracy (software, music, whatever) is their reason, you'd want to demonstrate the academic uses for what they're trying to block. In this case you're probably SOL on Napster, but you might get FTP to fly. The only "academic" use I can think of for Napster is a Music Performance major who makes his personal works/performances available through Napster. Show the legit uses for the medium.

    Bandwidth consumption is a sticky issue. You'll again have to show an academic need for the service, but also that it does not consume an unacceptable amount of bandwidth. Maybe get some logging statistics for the network, find out what protocols are hogging the network; are the problems being caused by only a few people? There are better ways to control bandwidth use than wholesale blocking incoming packets.

    As for "what ports to keep open," the easiest thing to do is survey the students on what network programs they use. It's easier to argue that X should be open because lots of students use it than some obscure program with limited value to the community from keeping it open.

    It's really not so important what ports are open now as that there is a means of petitioning for ports to be opened in the future. That will allow you to make changes as new programs are developed using new ports.

    Good luck, I hope they consider your case well.

  • by BigDogKelly ( 304379 ) on Monday February 19, 2001 @07:23AM (#420364)

    Being a fellow college student who spends most of his time doing computer stuff (yes I am guilty of being a CS major), I share your fears. I didnt like it when they blocked Napster- unfortunatly they had a good reason-bandwidth. We tried going to the Admins but were denied. Luckily, being the good CS geeks that we are, we found ways around it.

    When you go before the Admin group at school, have your battle plan laid out. Know your strong points and be able to defend your weak points. Be sure to bring friends who share your concerns. If your Teachers agree with you, bring them along too. The bigger your group and more importantly, the better your arguments are, the better off you look to those in charge. If they see that you are not alone they will be more likely to deal fairly with you. Even if your solid, logical approach at this meeting fails, get creative. If the packet filter gets installed, experiment with different ways of getting around it. Now, I am in NO way promoting the idea of doing any type of damage to it or even causing more work for the admins., but see if there are certain things the filter misses. When you find that out you may be able to use it to your advantage. Just remember, try the system first (it may actually work) but there are always other ways.

  • The worst thing you can do in an academic setting
    is imply that you are using the network connection for anything other than direct academic uses.
    SSH/telnet ports should be easy to keep open. Explain that you're using them for remote access to email or whatever.
    Many students put up personal webpages for their job search - resumes, downloadable snipepts of code, etc. Point out that that will be gone.
    Pick your battles, though. You may not win on http, but shoot for ftp, or vice versa. Don't throw down over Napster or the like,
    becase from an academic standpoint, there is not much use.

    Good luck!
  • by raju1kabir ( 251972 ) on Monday February 19, 2001 @02:36PM (#420366) Homepage
    Sadly, though, my guess is that there aren't too many accademic reasons for putting a server in your dorm room instead of using a university managed server - other than to try to put up a server which doesn't fall under the normal AUP. Sure, it's a fun project and teaches a lot about administration - but it provides little academic gain that setting up a university-wide-only server would not.

    I couldn't disagree more. Almost all of the current crop of gifted internet technicians (at least those that I'm aware of) learned their stuff by running servers in their college dorm rooms. Throwing static HTML up on a central web server isn't even the same ball game.

    I would furthermore suggest that any university that imposes restrictions such as those mooted in this article is not serious about providing residence hall internet access as an academic resource, and is instead doing it for one of three reasons:

    • They think it's "the thing to do"; all the schools are doing it
    • It's cheaper than providing sufficient public terminals for web browsing in the library (don't get me started on web "research")
    • They see it as a competitive factor in drawing students (like a fancy lobby and nice donuts in the campus information building)

    Sure there's abuse. So throw on some rate limiters. What's far more important is the amazing collaborative learning that takes place in this environment; students with no technological ability learning from others how to become content providers and participants in the internet information space just like huge corporations (CNN, Amazon, etc). It's empowering, it's educational, it's a crucial step toward preparing students for the real digital world past the campus gates.

    As an undergrad, I attended a university with a strong technological focus and a solid commitment to exposing students to IT (U of Michigan). When I look at my classmates, and compare them to less fortunate students at other schools, the difference is shocking. My fellow alum are totally comfortable with email, with the web, with their computers, with the changes in the world around them. Ten years later I went to grad school at a university with basically no on-campus technology (Yale; though they have finally wired most of the dorms at least). Ten years later, with all this technology supposedly so much more pervasive, and the students at Yale don't have anywhere near the comfort with it. They're intimidated by computers, and just as important, they're BAD at using them.

I am a computer. I am dumber than any human and smarter than any administrator.