Services Affected

Only services that access the Internet at large are affected. Cross-campus services are not affected.

  • Some software will need to be upgraded to firewall friendly versions
  • Some software will need to be configured differently, for example to use a 'proxy server'
  • Some services may require new procedures, such as logging in to an intermediate 'gateway' computer

We will try, where possible, to work with you to achieve your objectives, but there are some services that cannot be offered safely at all. We will try to suggest alternatives, if appropriate.

Firewall and communication software

Email

You can use POP (and IMAP) to access email on CiCS central servers (including Novell servers), plus any departmental servers which have been registered with CiCS whilst using a 3rd party ISP or network connection.

Please look at the instructions provided for each email program to do this.

rlogin, rsh, rcp

These services are not available to client computers outside the firewall connecting to computers inside. Use ssh (secure shell) or scp (secure copy) instead. Outgoing connections are not affected.

telnet

Telnet from computers outside the firewall to computers inside must go via a VPN (or RATS) connection.

Outgoing telnet connections (ie FROM Sheffield) are not blocked by the University firewall; though you may need to contact the host administrator to see if they have firewall restrictions.

ftp

Ftp from computers outside the firewall to computers inside must use a VPN (or dial-in) connection - there is no direct access from 3rd party connections (apart from a handful of anonymous ftp servers - including ftp.shef.ac.uk).

Outgoing ftp connections (ie FROM Sheffield) are not affected.

X Window

If you wish to run an X application on a remote host, you will find that the default X port is blocked by the firewall. You need to run an X server on display :1 instead of the default display :0.

Advice on how to do this for various platforms is given below.
eXceed on a PC, change the Display Number setting under Exceed->Xconfig->Communication to 1 before starting the eXceed server.
On Linux (and *BSD systems), start a second X server with startx -- :1. You can toggle between the two X servers with CTRL-ALT-Fx - where the Fx is a function key (this will usually be 8, 9, or 10 on most platforms). Having two X servers increases your security - you can have a local X session on display :0 which is secure from attack, and a less secure session on display :1 for remote applications. Remember, if an X session is compromised, an attacker can read all your session screens, all your keystrokes, and can inject their own keystrokes into your session - this can be disastrous if you are typing in confidential data and passwords, or if you have a root session in a window.
On a Sun using the dt login system, copy the /usr/dt/config/Xservers file (as root) to /etc/dt/config/Xservers, and edit the last line of the file, changing each occurrence of :0 to :1. You will need to restart the machine, or kill -HUP the dtlogin process from a command line session.
Usually, the remote system will set the DISPLAY environment variable automatically when you login, but if it doesn't, you will need to set it manually using e.g. setenv DISPLAY myhost.shef.ac.uk:1. Alternatively, the display can be specified when starting the application - xapp -display myhost.shef.ac.uk:1.

This method is the preferred way to run remote X applications. A firewall exemption will only be considered where the alternatives prove impossible.

Miscellaneous

Please check with CiCS before purchasing software for Internet communication to ensure compatibility with the firewall.