Systems | Library | University of Waterloo

Public Subnet Firewall - Appendix

Router Access List – September 16, 2003

! Extended IP access for library patron subnet
! This list is to be applied to the subnet side as an input list !

interface FastEthernet0.11
no ip access-group 160 in
ip access-group 160 in
!
! Delete any old list
!
no access-list 160
!
! Allow established TCP sessions
!
access-list 160 permit tcp 129.97.71.0 0.0.0.255 any established
!
! Allow DNS, DHCP
!
access-list 160 permit udp 129.97.71.0 0.0.0.255 any eq domain
access-list 160 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
access-list 160 permit udp 129.97.71.0 0.0.0.255 host ns1 eq bootpc
access-list 160 permit udp 129.97.71.0 0.0.0.255 host ns2 eq bootpc
!
! Allow PING replies (for network connectivity tests from outside subnet)
!
access-list 160 permit icmp 129.97.71.0 0.0.0.255 any echo-reply
!
! Allow NetBIOS access to library, pilot and snap4100
!
access-list 160 permit udp 129.97.71.0 0.0.0.255 host library eq netbios-ns
access-list 160 permit udp 129.97.71.0 0.0.0.255 host library eq netbios-dgm
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host library eq 139
!
access-list 160 permit udp 129.97.71.0 0.0.0.255 host pilot eq netbios-ns
access-list 160 permit udp 129.97.71.0 0.0.0.255 host pilot eq netbios-dgm
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host pilot eq 139
!
access-list 160 permit udp 129.97.71.0 0.0.0.255 host snap4100 eq netbios-ns
access-list 160 permit udp 129.97.71.0 0.0.0.255 host snap4100 eq netbios-dgm
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host snap4100 eq 139
!
! Allow Web access to library Web servers
! and to pqdweb.umi.com and proquest.umi.com
! and to lssi.com ! and to testtube and tothe 2 local sus machines
! access-list 160 permit tcp 129.97.71.0 0.0.0.255 host library eq www
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host pilot eq www
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host testtube eq www
!
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host sus eq www
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host sus-vanguard eq www
!

access-list 160 permit tcp 129.97.71.0 0.0.0.255 host pqdweb.umi.com eq www
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host proquest.umi.com eq www
!
!
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host host201.lssi.com eq www
!
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host host205.lssi.com eq www
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host 65.220.22.201 eq www
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host 65.220.22.205 eq www
!
! Allow HTTPS access to various campus servers
!
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host ego eq 443
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host brawny eq 443
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host blanc eq 443
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host etna eq 443
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host dynomites eq 443
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host snap4100 eq 443
!
! Allow NNTP access to campus news server (news.uwaterloo.ca)
!
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host 129.97.128.186 eq nntp
!
! Allow the following for printing from a single workstation
!
access-list 160 permit ip host 129.97.71.175 host 129.97.58.103
access-list 160 permit ip host 129.97.71.175 host 129.97.58.193
!
! Allow access to St. Jerome's printer
!
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host sjulibpublaser
!
! Allow XFIRE access
!
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host beilstein.library.wisc.edu eq 8001
!
! Allow Z39.50 to a couple of sites
!
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host sci1.cas.org eq 210
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host sci2.cas.org eq 210
!
! Allow access to Watcard
!
access-list 160 permit tcp 129.97.71.0 0.0.0.255 host secure.watcard.uwaterloo.ca eq 4667
!
! Allow telnet and ssh to anywhere
!
access-list 160 permit tcp 129.97.71.0 0.0.0.255 any eq telnet
access-list 160 permit tcp 129.97.71.0 0.0.0.255 any eq 22
!
! Everything else is denied
!
access-list 160 deny ip any any
!
!
! temporary block on M$ protos to rebuild compromised systems
!
interface FastEthernet0.10
no ip access-group 161 in ip
access-group 161 in
!
!
Delete any old list
!
no access-list 161
!
access-list 161 permit udp host library 129.97.71.0 0.0.0.255 eq netbios-ns
access-list 161 permit udp host library 129.97.71.0 0.0.0.255 eq netbios-dgm
access-list 161 permit tcp host library 129.97.71.0 0.0.0.255 eq 139
! access-list 161 permit udp host pilot 129.97.71.0 0.0.0.255 eq netbios-ns
access-list 161 permit udp host pilot 129.97.71.0 0.0.0.255 eq netbios-dgm
access-list 161 permit tcp host pilot 129.97.71.0 0.0.0.255 eq 139
! access-list 161 permit udp host snap4100 129.97.71.0 0.0.0.255 eq netbios-ns
access-list 161 permit udp host snap4100 129.97.71.0 0.0.0.255 eq netbios-dgm
access-list 161 permit tcp host snap4100 129.97.71.0 0.0.0.255 eq 139 !
access-list 161 deny tcp any any range 135 139
access-list 161 deny udp any any range 135 139
access-list 161 deny tcp any any eq 445
access-list 161 permit ip any any
!
end
Pilot Web Server Proxy Directives

# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
<IfModule mod_proxy.c>
ProxyRequests On
#
# Don't act as a general proxy for any client

<Directory proxy:*>
Order deny,allow
Deny from all
Allow from 129.97.58.43
Allow from 129.97.71
Allow from 129.97.108.21
Allow from 129.97.35.11
AuthName "ADS/W2K Active Directory Authentication"
AuthType Basic
# Use Server Message Block protocol with an accelerator cache
PerlAuthenHandler Apache::AuthenDBMCache Apache::AuthenSmb Apache::AuthenDBMCache::manage_cache
# Cache parameters -- hold onto data for 12 hrs.
PerlSetVar AuthenDBMCache_TTL 43200
# The Domain Controllers and the Domain
PerlSetVar myPDC douglasfir
PerlSetVar myBDC oak
PerlSetVar myDOMAIN ads.uwaterloo.ca
</Directory>

# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#
#ProxyVia On

# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)
#
#CacheRoot "/software/wwwapache-1.3_server/data/proxy"
#CacheSize 5
#CacheGcInterval 4
#CacheMaxExpire 24
#CacheLastModifiedFactor 0.1
#CacheDefaultExpire 1
#NoCache a_domain.com another_domain.edu joes.garage_sale.com

# Proxy Directory and Restriction Specifications

<Directory proxy:http://camera1.city.north-bay.on.ca/*>
order deny,allow
deny from all
allow from none
</Directory>
<Directory proxy:http://www.city.north-bay.on.ca/Bay-cam/*>
order deny,allow
deny from all
allow from none
</Directory>
<Directory proxy:http://ftp.blizzard.com/*>
order deny,allow
deny from all
allow from none
</Directory>
<Directory proxy:http://download.windowsupdate.com/*>
order deny,allow
deny from all
allow from none
</Directory>
<Directory proxy:http://windowsupdate.microsoft.com/*>
order deny,allow
deny from all
allow from none
</Directory>
<Directory proxy:http://v4.windowsupdate.microsoft.com/*>
order deny,allow
deny from all
allow from none
</Directory>
<Directory proxy:http://wustat.windows.com/*>
order deny,allow
deny from all
allow from none
</Directory>
<Directory proxy:https://secure.watcard.uwaterloo.ca:4667/*>
order allow,deny
allow from all
deny from none
</Directory>
<Directory proxy:https://onecard.uwaterloo.ca:4667/*>
order allow,deny
allow from all
deny from none
</Directory>
<Directory proxy:http://onecard.uwaterloo.ca:/*>
order allow,deny
allow from all
deny from none
</Directory>
# End of proxy directives.

August 9, 2005

Systems Department

Public Subnet Firewall - Appendix