Overview

The campus firewall restricts access to the campus network from the Internet. It protects university resources from abuse or attack by Internet users, who may take advantage of the many vulnerabilities on modern computer systems.

By default, all inbound IP protocols are blocked and the resource owner must request any desired openings. To learn more about requesting a port opening see the Request section.

Getting Started

Before requesting ports to be opened, you should verify if any ports are already open for your system. To view current firewall settings for systems you own, visit the Get System Information section on our csi.itsec.tamu.edu website. Ownership is determined by the group ownership information in Infoblox

To request a port opening in the campus firewall, go to csi.itsec.tamu.edu or submit a request to firewall@tamu.edu. Computers with services available through the campus firewall must be scanned for vulnerabilities.

Help and Support

Please see the Guidelines and FAQ section for additional information. If you have any questions or concerns, send an email to firewall@tamu.edu.

Contact Information

Request

Firewall Port Opening

The Texas A&M Campus Firewall blocks all service ports by default. Requests to have a service available outside the campus firewall can be made by sending an email to firewall@tamu.edu or visiting csi.itsec.tamu.edu.

Requests may take up to two business days to be completed. If the request is urgent, and the two-day timeline is not sufficient, please state that the request is URGENT and include the reason for this urgency. If you do not receive a response to your mail, please call Help Desk Central at 979.845.8300, and ask them to contact Cyber Defense concerning your request.

Firewall configurations are applied to IP addresses, but referenced by the host name. All initial firewall change requests should be made for the machine hostname and not the IP address. If the name or IP address of a machine changes, you will need to email firewall@tamu.edu regarding the change to ensure that firewall settings for that machine continue to work.

Not all ports are allowed to be opened through the campus firewall. For a listing and explanation of exceptions allowed through the firewall, please see the Guidelines section.

Authorization to Request Port Openings

All information resources that have services allowed through the firewall must have valid ownership information, and firewall change requests must be received from a member of an ownership group as listed in Infoblox. Infoblox manages IP addresses and domain name assignments for the campus network.

Requests for changes to the firewall must come from the resource owner or custodian of the machine as recorded in Infoblox. Requests received from anyone else will be forwarded to the information resource owner for approval. Because of the high turnover rate of student administrators, we do not accept firewall change requests from students unless approved by a full-time staff member in the department hosting the machine.

Configuration and Security of Port Openings

Information resources must be secured before their services can be allowed through the campus firewall. The endpoint will be required to have the vulnerability scanning agent installed, and it will be scanned for vulnerabilities. Any detected problems, with a severity of Medium or higher, must be remediated before the requested ports can be opened. Systems hosting services already open through the firewall are also required to have the vulnerability scanning agent installed and will be scanned periodically to ensure the system remains free of vulnerabilities. If problems are found during these scans, the owner will be notified, and we will work with you to help secure the service. For more details on our vulnerability scanning program, see https://it.tamu.edu/services/security/security-services/network-vulnerability-scanning/ 

Request This Service

Guidelines

Firewall Port Restrictions

  • The campus firewall is in place to protect the campus network. Therefore, not all requested ports can be opened. Remember it is a security violation to run a service on any port other than the IANA assigned port for that service.

  • When any port is opened through the campus firewall, the system operator is responsible for its integrity. The port will be blocked if the machine is considered a security risk to the campus network.

  • All insecure protocols (protocols that provide no encryption and pass traffic in clear text) may not be allowed through the campus firewall. Example insecure services include telnet, ftp, imap, and pop.

  • As of March 28, 2018, all new firewall open requests, which use credentials to access, will be required to use multi-factor authentication. Owners will need to verify that multi-factor authentication is enabled before a firewall exception is permitted.  

  • Anonymous FTP is allowed. However, if you are found to be running authenticated FTP services (ie.. non-anonymous, non-encrypted), we will block the port for this service.

  • An alternative solution to connect to the campus network that does not require exceptions in the campus firewall is the campus VPN Service.

  • Services should run on standard ports. This means port 80 (for unencrypted) and port 443 (for SSL-enabled). We do allow alternate servers on 8000 or 8080 (unencrypted) and 8443 (encrypted). For SSL encrypted sites, self-signed certificates will NOT be allowed for hosts open through the campus firewall. The certificate must be signed by a trusted Certificate Authority. To request a certificate visit the Certificates website.

  • The smtp (port 25) port for all hosts is closed both inbound and outbound by default. To learn more, visit the Knowledge Base article. If you need the smtp port opened, you must provide detailed documentation on the reasons the Texas A&M configuration is not sufficient, and your machine will be checked to verify that it is not relaying mail. To request an exception, please email security@tamu.edu.

  • All incoming IP Traffic is blocked by default at the campus firewall. To open a needed port, visit csi.itsec.tamu.edu. The table below shows which ports can be opened through the campus firewall.

  • Incoming ICMP echo requests are blocked by default at the campus firewall. To request an exception to this rule, please email firewall@tamu.edu.

  • For resource protection, only IT Security and resource owners are permitted to monitor network traffic, and only in the course of investigation of a network problem or security incident. 

  • IT Security will regularly audit and test the firewall rule set to verify accuracy and effectiveness. If a system is found to be a security risk during this audit, the port(s) for that host may be blocked, and the owners will be contacted concerning the issue.

FAQ

Why do we have a campus firewall?
How do I find out the firewall configuration for a certain host?
How do I request a new firewall exception?
What ports can I open through the firewall if I live in a dorm/residence hall?

Why do we have a campus firewall?

The campus firewall restricts access to the Texas A&M campus network from the Internet. It protects campus resources from abuse/attack by Internet users who may take advantage of the many vulnerabilities on modern computer systems.

How do I find out the firewall configuration for a certain host?

Current firewall settings for an individual machine can be viewed in the Get System Information section at csi.itsec.tamu.edu

How do I request a new firewall exception?

You can request a port opening at https://csi.itsec.tamu.edu/. Requests must come from a member of an Infoblox group which is listed as owning the host and may take up to two business days to be processed. Requests can also be made through email to firewall@tamu.edu. Please include the IP address or hostname needing the exception, the port(s) needing to be opened, and the reason for the port opening.

What ports can I open through the firewall if I live in a dorm/residence hall?

Due to changes in network configurations, students in the Residence Halls will no longer be allowed to request a port opening for computers on ResNet. This means that no computer on ResNet can be accessible from off campus.

Was this page helpful?