Network Access to/from Other Computers

Inbound Access to CS Department Resources

The CS firewall controls outside access to systems inside the department in order to provide system and network security. Below is a table listing which protocols may be used, and to which systems. Most of the host names below are aliases, so that we can configure the best machine to provide a given service without requiring that our users learn new host names. In particular, portal.cs.princeton.edu, is an alias for multiple systems. So, each time you attempt a connection to portal, you will, most likely, be connected to a different machine than you were the last time.

Protocol Target Host(s)
SSH/SLOGIN/SFTP portal.cs.princeton.edu, penguins.cs.princeton.edu
FTP (anonymous) ftp.cs.princeton.edu
HTTP www.cs.princeton.edu
SMTP(Mail) smtp.cs.princeton.edu
Web(Mail) webmail.cs.princeton.edu
Various (as needed) Projects: (NSG, PlanetLab, etc.)

Other network ports on all other machines are blocked, except for test machines on the cs-test subnet. These machines should be reachable using any protocol except telnet, rlogin, rsh, or rexec. Note that machines on this subnet are not production servers. This subnet is set up strictly for testing machines involved in a departmental project.

Protocols for Inbound Access

ssh/slogin/sftp

To prevent network sniffing from gleaning anything useful from your remote session, you can use the SSH package. (The previous link describes more about ssh and where to obtain the software.) SSH for Unix includes the following commands:

  • ssh - replaces rsh
  • slogin - replaces rlogin
  • scp - replaces rcp
  • sftp - replaces ftp

SSH for Unix also does X11 forwarding. This means that if you use ssh or slogin to establish a session into the CS department (eg to portal), you can run X applications which will display on the machine you are coming in from. If you have established a connection into the department using SSH and wish to run an X application on a different department machine, use the xrsh command.

SSH for MS-Windows provides similar capabilities via a different command interface.

FTP (anonymous)

In order to prevent outsiders from locating unguarded FTP servers within the department and exploiting them as "WaReZ" distribution sites, we limit inbound FTP connections to a single machine, which has access controls in place. This machine, ftp.cs.princeton.edu, can be used only for anonymous FTP.  Because of the inherent risk in transmitting your password in clear-text via FTP, we block insecure FTP into the department as an authenticated user, meaning you won't be able to access your home directory through simple authenticated, insecure FTP.  Users who need to transfer files to and from their UNIX account should use sftp or scp to portal.cs.princeton.edu instead.  Details on how to use these commands can be found here.

If you find that using sftp or scp is not possible from wherever you're transferring files to/from, then an alternative would be to move your files into a temporary staging directory in the anonymous ftp server's file system (/csinfo/ftp).  From there you can then use anonymous ftp to get at the files, but please be diligent in cleaning up any files you put there after you're done transferring them.

HTTP

The department maintains a public web server at http://www.cs.princeton.edu. All users with CS Unix accounts can publish content here by creating world-readable HTML files in their ~/public_html directory. Note that the directory and all the files beneath it must be world-readable, or the web server code will not be able to open the directory or files.

SMTP (Mail)

Inbound email should only come through the department's SMTP server, smtp.cs.princeton.edu. This allows us to concentrate our efforts in one place, in order to reduce SPAM and prevent unauthorized email relaying through CS department machines.

Outbound Access from the CS Department

There are a few restrictions on which protocols may be used for outbound connections from department computers. However, since our firewall translates the addresses of most user machines, the methods used to make certain types of connections may be different than what you are used to.

Currently we are disallowing outbound telnet, rlogin, rcp, rsh, and rexec access to hosts within the .princeton.edu domain (128.112.0.0/16, 140.180.0.0/16) from within the CS Department. So for instance, trying to telnet to arizona.princeton.edu from portal.cs.princeton.edu will fail. Use the SSH utilities ssh, slogin, and scp as replacements for telnet, rlogin, rcp, rsh, and rexec.

Also, a common protocol which requires a different mode of use is the X Window System from X.org. In order to prevent random machines on the Internet from gaining access to your display, you must use ssh with X11 forwarding or a proxy program if you wish to run X applications remotely.

If you are trying to access a remote service from a CS department machine and are having difficulties, please consult the CS Guide first. If you cannot find a resolution to your problem there, then send an email message to CS Staff explaining what you are trying to do, and what errors you are receiving.