Changes to LAWN firewall rules

March 25, 2005

OIT has made the several changes to the default LAWN firewall rule sets over the break. These changes enhance security and also allow for greater departmental and individual control over the use of services on LAWN and within departments.

Here is brief description of the changes we have made:

• Allow rate limited ICMP - once authenticated, you can use ping and traceroute as normal. In an effort to limit the effects of a possible pingflood, icmp packets (used for ping and traceroute) will be limited for all authenticated users. We will do our best to adjust this limit as necessary.
• TCP SYN rate limit - once authenticated, the rate SYN packets leaving the LAWN will be limited. This is to guard against denial of service attacks. Users should not experience issues with this, we will do our best to adjust this limit as necessary to make sure this is the case.
• Firewall rule relaxation - Because many departments now have a firewall protecting external access to their subnet, the outbound (from the LAWN) border filters (mirroring those at the GT border) will be bypassed for ONLY those subnets with deployed firewalls. This will give each department localized control on what is allowed from the LAWN into its subnets without having to maintain a rule set per department on the LAWN gateway. If you are unable to access user services offered by your department, check with your CSR/CSS to find out if a departmental firewall is in place.
• Inbound Service Security - By default, TCP connections originating from non-LAWN machines to machines on the LAWN will be denied (via stateful packet inspection). We are doing this to limit the exposure of LAWN users to hackers and viruses scanning for vulnerable hosts. Since most users are not intentionally running services, most users will be unaffected. Those who wish to offer services available beyond the LAWN will have the option of disabling this feature.

More information on LAWN secuirity is available on the LAWN Security web page