Inbound Access to CS Department Resources
The CS firewall controls outside access to systems inside the department in order to provide system and network security. Below is a table listing which protocols may be used, and to which systems. Most of the host names below are aliases, so that we can configure the best machine to provide a given service without requiring that our users learn new host names. In particular, portal.cs.princeton.edu, is an alias for multiple systems. So, each time you attempt a connection to portal, you will, most likely, be connected to a different machine than you were the last time.
Protocol | Target Host(s) |
---|---|
SSH/SFTP | portal.cs.princeton.edu, cycles.cs.princeton.edu |
FTP (anonymous) | ftp.cs.princeton.edu, ftpupload.cs.princeton.edu |
HTTP | www.cs.princeton.edu |
SMTP(Mail) | smtp.cs.princeton.edu |
Web(Mail) | webmail.cs.princeton.edu |
Various (as needed) | Projects: (NSG, PlanetLab, etc.) |
Most other network ports on other machines are blocked, except for machines outside the CS firewall. These machines should be reachable using most protocols other than telnet, rlogin, rsh, or rexec.
Protocols for Inbound Access
ssh/sftp
To prevent network sniffing from gleaning anything useful from your remote session, you can use the SSH package. (The previous link describes more about ssh and where to obtain the software.) SSH for Unix includes the following commands:
SSH also allows X11 forwarding. This means that if you use ssh to establish a session into the CS department (eg to portal), you can run X applications which will display on the machine from which you are connected.
In order to prevent outsiders from locating unguarded FTP servers within the department and exploiting them as distribution sites for illegal or malicious software, we limit inbound FTP connections to centrally managed FTP servers, which have access controls in place. One of these machines, ftp.cs.princeton.edu, can be used only for anonymous FTP downloads. For anonymous FTP uploads, use ftpupload.cs.princeton.edu. Because of the inherent risk in transmitting your password in clear-text via FTP, we block insecure FTP into the department as an authenticated user, meaning you won't be able to access your home directory through simple authenticated, insecure FTP. Users who need to transfer files to and from their UNIX account should use sftp or scp to portal.cs.princeton.edu instead. Details on how to use these commands can be found here.
The department maintains a public web server at http://www.cs.princeton.edu. All users with CS Unix accounts can publish content here by creating world-readable HTML files in their ~/public_html
directory. Note that the directory and all the files beneath it must be world-readable, or the web server code will not be able to open the directory or files.
SMTP (Mail)
Inbound email should only come through the department's SMTP server, smtp.cs.princeton.edu. This allows us to concentrate our efforts in one place, in order to reduce SPAM and prevent unauthorized email relaying through CS department machines.
Outbound Access from the CS Department
There are a few restrictions on which protocols may be used for outbound connections from department computers. However, since our firewall translates the addresses of most user machines, the methods used to make certain types of connections may be different than those to which you are accustomed.
We disallow outbound telnet, rlogin, rcp, rsh, and rexec access to hosts within the .princeton.edu
domain (128.112.0.0/16, 140.180.0.0/16) from within the CS Department. So for instance, trying to telnet to arizona.princeton.edu from portal.cs.princeton.edu will fail. Use the SSH utilities ssh, slogin, and scp as replacements for telnet, rlogin, rcp, rsh, and rexec.
Also, a common protocol which requires a different mode of use is the X Window System from X.org. In order to prevent random machines on the Internet from gaining access to your display, you must use ssh with X11 forwarding or a proxy program if you wish to run X applications remotely.
If you are trying to access a remote service from a CS department machine and are having difficulties, please consult the CS Guide first. If you cannot find a resolution to your problem there, then send an email message to CS Staff explaining what you are trying to do, and what errors you are receiving.