CS Department Firewall

The CS Department runs a firewall to protect internal hosts from unwanted external network traffic. Due to the nature of firewalls this can sometimes cause problems for some applications or services that reside behind the firewall. If you are experiencing a problem that you believe is caused by the firewall please contact csstaff@cs.princeton.edu and we can work with you to find a solution. By default we block all incoming network ports from outside the department into those network subnets where we place personal workstations. Because of this, ping and other network applications that try to contact a host behind the firewall will not work. On department network subnets where we place personal workstations, we employ a technology known as "Network Address Translation" or NAT. This means that any IP packets you send outside the department will have their source IP address translated into an IP address owned by the firewall. As reply packets come back to the firewall from outside, a table is looked up that re-translates the destination IP address from the firewall's address to your workstation's address.

Because of this setup, we also employ a second technology known as "Split DNS." To be brief, the DNS zone 'cs.princeton.edu' contains different records for internal and external hosts. When querying the zone from inside the department you'll find it contains each and every host registered with us. But when querying the zone from outside the department you'll see it only contains those entries which are on subnets where NAT is not used. Hence your workstation's host name will not be there since it is being NAT'ed. Another side effect of NAT is that some telephony applications may not work because most if not all telephony apps need to access your workstation's IP address directly from outside the department.

We do our best to make sure that the firewall does not disrupt computing within the department. Sometimes people may ask if we will open a port on the firewall to allow a certain application to work. In most cases, the answer to this question is "no." In a few cases, where there is a legitimate research or academic need, and no alternative solution exists, we will do our best to accommodate the request, but beware that the usual method for allowing such things is to move the target host outside the department firewall. This means that the host will be much more exposed to attack from the internet, and will also not have access to many of the services available inside the firewall.