Restrictions on access to the FI MU network
Access to the faculty network is restricted to increase its security. Simplistically, three basic groups of access can be considered (with increasing trustworthiness and number of accessible services):
- from the Internet
- from the university network: from addresses in the domain
muni.cz
, i.e. from the address ranges147.251.0.0/16
or2001:718:801::/48
- from the faculty network: from addresses in the domain
fi.muni.cz
, i.e. from the address ranges147.251.42–53.0/24
,147.251.58.0/24
,172.16.0.0/12
or2001:718:801:200::/56
The university network level can be accessed by using the university VPN. The faculty network level can be accessed by using the
faculty VPN (or university VPN) or by using SSH tunnels (see below; using the university VPN is not sufficient) or see also
remote access to services in general. Private networks (
172.20.0.0/12
) are routed and available only within the FI network.
The FI network is segmented and firewall-controlled, typically at the boundaries given for IPv4 by C blocks (
147.251.n.0/24
) and for IPv6 by the boundaries of the
/64
mask (
2001:718:801:2nn::/64
). In general, all privileged ports of all machines are blocked.
For any change requests on the faculty firewall, contact
unix-bgEeyARE@fi5qDUnnHr8.muniWAlqdn8jM.cz
.
Examples of service availability
Externally available:
- SSH, IMAP(S), POP3(S) on Aisu and Anxura
- SMTP with forced authentication on
relay.fi.muni.cz
Available from MU network only:
Available only from the FI network (or part of it):
SSH on ports 80, 443
Should your ISP block communication on port 22, we provide the option for FI employees (and others with access to Anxura) to connect via both port 80 and 443:
home$ ssh -p 80 login@anxur-ssh.fi.muni.cz
SSH tunneling
If you need to connect to a service that is only accessible from a faculty or university network, you can use the options provided by SSH: SOCKS proxy, port forwarding, jump hosts. See, for example, the ArchLinux or Gentoo documentation for a description of how to use it.
For example, Aisy can be used for this purpose. Brief examples:
# port forwarding
home$ ssh -L 13306:db.fi.muni.cz:3306 login@aisa.fi.muni.cz
home$ mysql -h localhost -p 13306 -u login -p
# jump hosts
home$ ssh -J login@aisa.fi.muni.cz login@nymfeNN.fi.muni.cz
Blocking IP addresses
In order to protect the services provided by FI MU networks, attempts to access forbidden ports of forbidden or non-existent machines are monitored. If a machine repeatedly accesses forbidden ports of forbidden machines, its behaviour is evaluated as an attempt to trespass into the FI MU network and access from this machine to the FI MU network (including access to the IS MU) is completely blocked, usually for 24 hours. In the case of repeated incidents, a permanent block is implemented.
Another system of blocking and blacklisting is then also operated at the university level.
How to proceed in the event of a block
If you think your address is being blocked, take inspiration from the IS guidance to find out the technical details. You can check the blocking of your IP address on the faculty firewall in the IP blacklist application in the Faculty Administration. You can check for any flat unavailability of services on the FI side at FI Status.
You can request that the block be lifted by asking the administrators, who may terminate the block early after reviewing the circumstances. Always include your external IP address in your unblock request.