• Skip to main content
  • Skip to primary navigation
  • Skip to primary sidebar
  • UC Berkeley
  • Berkeley Engineering
  • EECS
Header Search Widget
IRIS

Instructional & Research Information Systems

  • About Us
  • Get Started
  • Get Help
  • FAQ
    • FAQ: Accounts
    • FAQ: EECS Slack
    • FAQ: File Storage
    • FAQ: Hardware
    • FAQ: MacOS
    • FAQ: Mail
    • FAQ: Mailing Lists
    • FAQ: Network
    • FAQ: Security
    • FAQ: Unix
    • FAQ: Web
    • FAQ: Windows
  • Services
    • Accounts
    • Backups
    • E-mail
    • EECS Login Servers
    • File Storage
    • Infrastructure
    • Mailing Lists
    • Network
    • Printing
    • Room Reservations
    • Security
    • Software
    • Unix
    • Web
  • Policies
  • Forms
    • System Registration/Update
    • Account Request Form
    • Network Problem Report
    • Project Storage Request
    • SSL Certificate Request
    • All Other Forms
  • Rates

Changes to Firewall Ruleset for Berkeley Way West

September 1, 2020 by Lars Rohrbach

Summary

This announces the upcoming change to the firewall ruleset for the 8th floor of Berkeley Way West (BWW) on the 128.32.175.0/24 network.  On September 15, 2020, the network border firewall policies will be brought in line with the existing IRIS (EECS) firewall ruleset for secure production networks. This change is to help facilitate moving all IRIS networks to the campus Palo Alto firewall infrastructure. Also, going forward, emailed requests for BWW firewall exceptions will no longer be needed.  The standard IRIS network registration forms will be utilized to make web servers at BWW available to the outside Internet.

In more detail

On September 15, 2020, the BWW default firewall rules that block all incoming traffic will be removed. 

This change will result in rules that only block ports/protocols as documented here:
https://iris.eecs.berkeley.edu/faq/security/eecs-firewall-ports/

In particular, services that utilize “high” or ephemeral ports (generally, anything over 1024) will no longer be blocked by the firewall, and will be accessible from the outside world.  Printing and Microsoft remote desktop access (via 3389/tcp) will remain restricted to campus networks (including the campus VPN but not the CalVisitor guest wireless networks).  Access from outside the BWW network to Microsoft ports will remain blocked.  SSH (22/tcp) access to BWW from the Internet will remain open.

Devices should continue to use their own host-based firewall to block and protect any services that should not be exposed to the internet, in accordance with campus minimum security standards.

The purpose of the change is to bring the Palo Alto firewall ruleset in line with the firewall ruleset we have used for IRIS with our Juniper NetScreen firewalls. This will enable us to migrate our other secure production subnets to the newer Palo Alto firewalls, in preparation for retirement of the older Junipers NetScreen firewalls.

Going forward

You’ll no longer need to request any firewall exceptions, unless they pertain to one of the blocked ports/protocols as linked above. For some blocked ports/protocols (e.g. http/https and smtp) you may request that it be allowed to your fixed DHCP (fixed IP address) devices by registering that device in the IRIS Network Database (https://iris.eecs.berkeley.edu/network/) and indicating the need for that traffic.

See also:

  • https://iris.eecs.berkeley.edu/faq/network/networking-at-bww/

Filed Under: News

Primary Sidebar

IRIS Service Status

Green
We have 0 Active Incidents, and 0 Scheduled Maintenances noted.

IST Service Status

Outages to campus services are listed at berkeley.statusdashboard.com.
  • About
  • Contact
  • Privacy
  • Accessibility
  • Nondiscrimination

© 2022–2025 UC Regents  |  Log in