|
Only services that access the Internet at large are affected. Cross-campus services are not affected.
- Some software will need to be upgraded to firewall friendly versions
- Some software will need to be configured differently, for example to use a 'proxy server'
- Some services may require new procedures, such as logging in to an intermediate 'gateway' computer
We will try, where possible, to work with you to achieve your objectives, but there are some services that cannot be offered safely at all. We will try to suggest alternatives, if appropriate.
Firewall and communication software
|
Email
You can use POP (and IMAP) to access email on CiCS central servers (including Novell servers), plus any departmental servers which have been registered with CiCS whilst using a 3rd party ISP or network connection.
If your Internet Service Provider allow you to use SMTP (mail sending) services other than their own, you will be able to send mail through your Sheffield account - but only if your email program has been correctly set up to connect to the Sheffield sending server (mailhost.shef.ac.uk).
Please look at the instructions provided for each email program to do this. |
|
Email virus protection
To protect against embedded viruses, the system filter on the mail hubs will reject any message containing an attachment of file type
vbs, vbe, wsh, wsf, js, jse, exe, com, bat
with the following text:
"This message has been rejected because it appears to have an executable attachment. This form of attachment has been used by recent virus attacks. If you really meant to send this file then please package it up, e.g. as a zip file and resend it."
Another way of sending such a file is to rename it to a different file extension before sending it and telling the recipients to rename it back to the correct file extension before use. |
|
rlogin, rsh, rcp
| These services are not available to client computers outside the firewall connecting to computers inside. Use ssh (secure shell) or scp (secure copy) instead. Outgoing connections are not affected. |
|
telnet
Telnet from computers outside the firewall to computers inside must go via a VPN (or RATS) connection.
Outgoing telnet connections (ie FROM Sheffield) are not blocked by the University firewall; though you may need to contact the host administrator to see if they have firewall restrictions. |
|
ftp
Ftp from computers outside the firewall to computers inside must use a VPN (or dial-in) connection - there is no direct access from 3rd party connections (apart from a handful of anonymous ftp servers - including ftp.shef.ac.uk).
Outgoing ftp connections (ie FROM Sheffield) are not affected. |
|
X Window
If you wish to run an X application on a remote host, you will find that the default X port is blocked by the firewall. You need to run an X server on display :1 instead of the default display :0.
Advice on how to do this for various platforms is given below. |
| eXceed on a PC, change the Display Number setting under Exceed->Xconfig->Communication to 1 before starting the eXceed server. |
| On Linux (and *BSD systems), start a second X server with startx -- :1. You can toggle between the two X servers with CTRL-ALT-Fx - where the Fx is a function key (this will usually be 8, 9, or 10 on most platforms). Having two X servers increases your security - you can have a local X session on display :0 which is secure from attack, and a less secure session on display :1 for remote applications. Remember, if an X session is compromised, an attacker can read all your session screens, all your keystrokes, and can inject their own keystrokes into your session - this can be disastrous if you are typing in confidential data and passwords, or if you have a root session in a window. |
| On a Sun using the dt login system, copy the /usr/dt/config/Xservers file (as root) to /etc/dt/config/Xservers, and edit the last line of the file, changing each occurrence of :0 to :1. You will need to restart the machine, or kill -HUP the dtlogin process from a command line session. |
Usually, the remote system will set the DISPLAY environment variable automatically when you login, but if it doesn't, you will need to set it manually using e.g. setenv DISPLAY myhost.shef.ac.uk:1. Alternatively, the display can be specified when starting the application - xapp -display myhost.shef.ac.uk:1.
This method is the preferred way to run remote X applications. A firewall exemption will only be considered where the alternatives prove impossible. |
|
Miscellaneous
| Please check with CiCS before purchasing software for Internet communication to ensure compatibility with the firewall. |
|
|
|
