Network Engineering has implemented a firewall design with the following goals in mind:
Our current strategy is to configure a separate services firewall context for each department. Machines in a "services" network are those that need to provide services to off-campus or non-firewalled hosts. Rulesets for each departmental services subnet are then managed by the department.
Workstations are placed behind the Enterprise Firewall, which denies all inbound connections. No outbound connections are restricted. Some access to workstations behind the firewall will be enabled via the VPN for services such as RDP or SSH.
Q: Will I be able to access my workstation from home via Remote Desktop or SSH after it has been moved behind the firewall?
A: Yes, you will be able to use the VPN to access your workstation remotely.
Q: For servers behind the firewall, if I don't want to allow outbound port 80 access, how do I use proxy?
A: Most applications support a proxy server and are easy to configure. For those that don't, you may be able to use an environment variable to specify the proxy server. For example, in bash, do: export http_proxy='http://proxy.oregonstate.edu:3128'
Q: For servers behind the firewall, if I block outbound access, how can I do SVN via Proxy?
A: SVN supports proxy and our proxy servers are configured to allow the needed methods. Instructions for SVN are here: http://subversion.apache.org/faq.html#proxy
The following groups and departments have moved all or part of their systems behind the campus firewall: