Firewall Levels

MCECS provides wired network connections with three different levels of protection from outside access. It’s important to understand these settings when using the Host Add form on our Intranet.

Firewalled	The default and recommended for users who do not want the high level of responsibility securing internet-facing services. Allows no connections to come from outside of PSU. RDP is allowed from all of PSU, but not ‘PSU Guest’ or ‘Eduroam’ on WiFi Connections from other hosts within MCECS or VPN are not blocked. In some cases, firewalled hosts are also NAT’d at the PSU campus border.	For most desktops or laptops where all you are doing is accessing the Internet and other MCECS/PSU services.
Web/SSH	Provides a useful middle ground for users who need only expose the most common services to the internet. Allows incoming connections from outside of PSU only to a few web-related TCP ports (80, 81, 8080,8089, 443, 8443) and SSH (port 22). ICMP messages are also allowed. RDP is allowed from all of PSU, but not ‘PSU Guest’ or ‘Eduroam’ on WiFi. Connections from other hosts within MCECS or VPN are not blocked.	For people who need to log into their computer remotely. Or run a local web server that could be accessed remotely.
Other	Allows almost everything from outside of PSU. This includes web-related ports, ssh, DNS, isakmp, finger, ftp, smtp, telnet, rtsp, rsync, and most ports above 1023 (but not NFS, postgres, BackupExec, Active Management, or any ports associated with ongoing attacks or vulnerabilities.) RDP and CIFS are allowed from PSU, but not ‘PSU Guest’ or ‘Eduroam’ on WiFi. Connections from other hosts within MCECS or VPN are not blocked.	If you are using this level, you need to be aware of the risks of being directly exposed to the Internet and be vigilent about patches and security. If your computer/device is suspected of compromise, it will be disconnected from the network.