CS Department Firewall

The CS Department runs a firewall to protect internal hosts from unwanted external network traffic. Due to the nature of firewalls, this can sometimes cause problems for some applications or services that reside behind firewall. If you are experiencing a problem that you believe is caused by the firewall, please contact CS Staff so we can work with you to find a solution. By default we block all incoming network ports from outside the department into those network subnets where we place personal workstations. Because of this, ping and other network applications that try to contact a host behind the firewall will not work. On department network subnets where we place personal workstations, we employ a technology known as "Network Address Translation" or NAT. Basically, any IP packets you send outside the department have their source IP address translated into the firewall's external IP address. As reply packets come back to the firewall from outside, a table is looked up that re-translates the destination IP address from the firewall's address to your workstation's address.

Because of this setup, we also employ a second technology known as "Split DNS". To be brief, the DNS zone 'cs.princeton.edu' contains different records for internal and external hosts. When querying the zone from inside the department you'll find it contains each and every host registered with us. But when querying the zone from outside the department you'll see it only contains those entries which are on subnets where NAT is not used. Hence your workstation's host name will not be there since it is being NAT'ed.

We do our best to make sure that the firewall does not disrupt computing within the department. Sometimes people may request that a port be opened on the firewall to allow a particular application to work. In most cases, the answer to this question is "no," however, where there is a legitimate research or academic need, and no alternative solution exists, we will do our best to accommodate the request. Beware, though, that the usual method for allowing such things is to move the target host outside the department firewall. This means that the host will be much more exposed to attack from the internet, and will also not have access to many of the services available inside the firewall.