<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
Paul,<br>
<p> <br>
Sorry for the delay in answering, my small bits of free time have
been taken up with adjusting to this social distancing thing (and
I maybe spent too much effort on this email, trying to avoid
confusion).<br>
<br>
Your email has raised some more questions, and doesn't seem to
have really addressed our queries.</p>
<p><br>
</p>
<p>From what I can glean, there's two primary tasks that your team
is trying to address.<br>
</p>
<ul>
<li>UWA wants central control and approval of all subdomains of
.uwa.edu.au</li>
<ul>
<li>Nick's email on 2020-04-17 12:10 covers parts of this
relatively well, so I won't be addressing it in this email.</li>
</ul>
<li>There should be no externally-accessible services on the
130.95.0.0/16 network that aren't either proxied through
Cloudflare (For HTTP/HTTPS) or explicitly whitelisted.</li>
</ul>
<p><b><br>
</b></p>
<p><b>Addressing your questions</b><br>
</p>
<p><b><br>
</b></p>
<p><b>> You might consider the we are going to running the whole
university on less than that.</b></p>
<p>Do you mean that UWA plan on exposing less than 64 hosts to the
public internet? Does this count various faculty services (e.g.
the computer science department's user servers).</p>
<p><br>
</p>
<b>> </b><b><i>Are we in a position to alter the firewall rules
from anything about 130.95.13.32/26 now? (Ed: </i></b><b><i>130.95.13.0/26)</i></b>
<p>What particular changes are you referring to? As Nick covered in
his email - we still don't have a working Cloudflare setup, so
blocking port 443/80 will break all websites hosted within the UCC
network. Additionally, blocking port 53 will have similar impacts
(including preventing our SSL certificates from updating).</p>
<p><br>
</p>
<p>If you mean blocking any access to addresses outside
130.95.13.0/26, then that is also not yet possible as we have
services scattered throughout the address range.</p>
<p>Some context: We've separated our range into four regions:
trusted hosts ("machine room" - physically isolated network),
semi-trusted ("clubroom" - wired network in a semi-public space),
member virtual machines, and then the upper quarter for misc
services (e.g. NAT and VPN). There are public services (see the
list below) that live in many parts of this range for various
reasons.<br>
</p>
<br>
<br>
<b>> </b><b><i>If you could have a look at the scan list
provided and give a brief description of the hosts and there
purpose from an educational purpose.</i></b><br>
<p>I've included at the end of this email a (maybe not too-brief)
summary of each host on your list, and what services they provide.
Many of those hosts were just exposing SSH (port 22), used for
authenticated remote access.</p>
<p><br>
</p>
<p>However - while the individual computers provide some assistance
towards the club's primary objective (which, according to the
constitution, is "for the advancement of computer science and
technologies") by facilitating the development of interesting
projects (e.g. the iodine VPN server, dropbear ssh server, and
compute power for several PHD projects) - it is the role of the
UCC network as a whole is the most relevant to this discussion.</p>
<p><br>
</p>
<p>The UCC network in its current form (minimally fire-walled,
overseen by "old guard") provides an enterprise-like environment
for aspiring system administrators to develop and practice skills
that would otherwise only be available via expensive training
courses or years of industry experience. The services hosted by
the UCC (e.g. a library catalog for the science-fiction club)
assist the greater UWA community, and provide a set of clients who
are (usually) understanding when things break due in this learning
process.</p>
<p><br>
</p>
<p><i>Short version</i>: It's the network itself that provides the
largest educational benefit, without that we're just a computer
lab.<br>
</p>
<br>
<p><br>
</p>
<p><b>Further Questions:</b></p>
<ul>
<li>Is there any progress/possibility of UCC continuing to run a
minimally fire-walled network segment (as we have done for over
20 years).</li>
<ul>
<li>We use our own border firewall, which is rather selective in
what ports are opened for each host.</li>
<li>Historically, it's only port 25 (SMTP) that has been blocked
at the UWA border, to prevent students from sending spam.<br>
</li>
</ul>
<li>If not: What size network segment can be left for us to
firewall? You seem to be implying that a /26 is acceptable?</li>
<ul>
<li>It'll take a few weeks to reorganize our network to move all
public hosts into one block, see above comments about the
network layout.</li>
</ul>
<li>What network ports are intended to be wholesale blocked?</li>
</ul>
<br>
<br>
<p><b>A summary of each host with open ports</b></p>
<ul>
<li>.1 (murasoi) is our primary router, it (like all other
servers) exposes SSH for remote management. All publicly
accessible SSH servers are protected by fail2ban to prevent
brute-force attacks</li>
<li>.3 (mailauesi) is a proxy host for our mail services -
exposing authenticated SMTPS, IMAPS, and POP3S</li>
<li>.6 (gitlab) is our source control server, running SSH (for
both management and "git push") and HTTPS (for the web
interface)</li>
<li>.7 (motsugo) is our primary user shell server (hence ssh &
ident) and mail retrieval server (IMAPS and POP3S)</li>
<li>.8 (flame-tunnel) is firewall magic that forwards traffic on
any port to the "Flame" chat service on port 4242. We're looking
into decommissioning this one.<br>
</li>
<li>.9 (mooneye) is our DNS and mail server, also used to run our
wiki (HTTP/HTTPS, it's been moved in the last few weeks).</li>
<li>.10 (myxine) is the machine that hosts our OCS Inventory
system. This operates over HTTPS, hence that port responding.</li>
<li>.11 (ssh) is also firewall magic, this time forwarding all
ports to SSH on port 22</li>
<li>.12 (ext-mx) is a legacy alias for mooneye, so responds on the
same ports.</li>
<li>.18 (mussel) is our secondary shell server, and main web
server (host user websites and the club's website)</li>
<li>.28 (secure) is firewall magic to distribute services to
multiple computers (from before SSL certificates were free)</li>
<li>.34 (uccmonitor) is our monitoring dashboard, public so
members can check up on system health</li>
<li>.36 (uccportal) is our member signup system</li>
<li>.38 (meetings) is our video/voice conferencing system, set up
as the COVID situation evolved for use for tech talks. This
server also uses UDP for video feeds.</li>
<li>.48 (titan) is a user server (An ARM architecture machine),
hence SSH</li>
<li>.66 (heathred) is our general games server, often a new
admin's first learning ground.</li>
<li>.72 (maaxen) is a Windows server (running a web server for
windows-only web services)</li>
<li>.68 (unisfa-koha) is the library system for a neighboring club
(web service)</li>
<li>.109 (eggman) is our clubroom music system.</li>
<li>.111 (evil) is a co-located machine run by a life member, does
lightweight monitoring of the machine room and network (showing
these results on a static webpage).</li>
<li>.137 (workhorse) is another shell machine (for doing
heavy-duty computation)</li>
<li>.138 (chordata) is a member VM. Runs ssh and a web server</li>
<li>.146 (enemy-territory) is a game server VM, gets quite a bit
of exercise now that we can't be on-campus to play together</li>
<li>.148 (experiments) is another member VM</li>
<li>.174 (diamond) is a member VM running a minecraft server</li>
<li>.177 (minecraft2019) is a club-operated minecraft VM</li>
<li>.185 (frekk-ucc) is a member VM with just ssh</li>
<li>.187 (james1-server) another member VM, just hosts a silly and
static website (and ssh)</li>
<li>.189 ("Livorno") is another member VM</li>
<li>.190 (bluering) is another member VM.</li>
</ul>
<p>Note: We're in a flurry of upgrades and restructuring at the
moment (Bored admins looking for things to do), leading to
services being shuffled between hosts. (E.g. the wiki being moved
off mooneye)<br>
</p>
<ul>
</ul>
<pre class="moz-signature" cols="72">John Hodge [TPG]
UCC Wheel Member</pre>
<div class="moz-cite-prefix">On 14/4/20 10:58 am, Paul Fisher wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SYCPR01MB3903C0646765A6EF4B10FC6CDCDA0@SYCPR01MB3903.ausprd01.prod.outlook.com">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> Hi John,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> My apologies.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important">130.95.13.0/26 is on the 64
boundary.</span><br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important"><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important">Anything above�<span
style="caret-color: rgb(0, 0, 0); font-family: Calibri,
Arial, Helvetica, sans-serif; background-color: rgb(255,
255, 255); display: inline !important">130.95.13.64 can be
restricted?</span></span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important"><span style="caret-color: rgb(0,
0, 0); font-family: Calibri, Arial, Helvetica, sans-serif;
background-color: rgb(255, 255, 255); display: inline
!important"><br>
</span></span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important"><span style="caret-color: rgb(0,
0, 0); font-family: Calibri, Arial, Helvetica, sans-serif;
background-color: rgb(255, 255, 255); display: inline
!important">You might consider the we are going to running
the whole university on less than that.</span></span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important"><span style="caret-color: rgb(0,
0, 0); font-family: Calibri, Arial, Helvetica, sans-serif;
background-color: rgb(255, 255, 255); display: inline
!important"><br>
</span></span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important"><span style="caret-color: rgb(0,
0, 0); font-family: Calibri, Arial, Helvetica, sans-serif;
background-color: rgb(255, 255, 255); display: inline
!important">If you could have a look at the scan list
provided and give a brief description of the hosts and there
purpose from an educational purpose.</span></span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important"><span style="caret-color: rgb(0,
0, 0); font-family: Calibri, Arial, Helvetica, sans-serif;
background-color: rgb(255, 255, 255); display: inline
!important"><br>
</span></span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important"><span style="caret-color: rgb(0,
0, 0); font-family: Calibri, Arial, Helvetica, sans-serif;
background-color: rgb(255, 255, 255); display: inline
!important">It doesn't have to be in great detail, just
something that provides a value proposition for education
within the UWA core business setting.</span></span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important"><span style="caret-color: rgb(0,
0, 0); font-family: Calibri, Arial, Helvetica, sans-serif;
background-color: rgb(255, 255, 255); display: inline
!important"><br>
</span></span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important"><span style="caret-color: rgb(0,
0, 0); font-family: Calibri, Arial, Helvetica, sans-serif;
background-color: rgb(255, 255, 255); display: inline
!important">Something I can use to justify maintaining the
services published in the UWA network space.</span></span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important"><span style="caret-color: rgb(0,
0, 0); font-family: Calibri, Arial, Helvetica, sans-serif;
background-color: rgb(255, 255, 255); display: inline
!important"><br>
</span></span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important"><span style="caret-color: rgb(0,
0, 0); font-family: Calibri, Arial, Helvetica, sans-serif;
background-color: rgb(255, 255, 255); display: inline
!important">Thanks</span></span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important"><span style="caret-color: rgb(0,
0, 0); font-family: Calibri, Arial, Helvetica, sans-serif;
background-color: rgb(255, 255, 255); display: inline
!important"><br>
</span></span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important"><span style="caret-color: rgb(0,
0, 0); font-family: Calibri, Arial, Helvetica, sans-serif;
background-color: rgb(255, 255, 255); display: inline
!important"><br>
</span></span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <span
style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; background-color: rgb(255, 255, 255);
display: inline !important"><span style="caret-color: rgb(0,
0, 0); font-family: Calibri, Arial, Helvetica, sans-serif;
background-color: rgb(255, 255, 255); display: inline
!important"><br>
</span></span></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b> Paul
Fisher <a class="moz-txt-link-rfc2396E"
href="mailto:paul.fisher@uwa.edu.au"><paul.fisher@uwa.edu.au></a><br>
<b>Sent:</b> Tuesday, 14 April 2020 10:31 AM<br>
<b>To:</b> John Hodge <a class="moz-txt-link-rfc2396E"
href="mailto:tpg@ucc.asn.au"><tpg@ucc.asn.au></a><br>
<b>Cc:</b> Geoff Costello <a class="moz-txt-link-rfc2396E"
href="mailto:geoff.costello@uwa.edu.au"><geoff.costello@uwa.edu.au></a>;
<a class="moz-txt-link-abbreviated"
href="mailto:tech@ucc.asn.au">tech@ucc.asn.au</a> <a
class="moz-txt-link-rfc2396E" href="mailto:tech@ucc.asn.au"><tech@ucc.asn.au></a>;
<a class="moz-txt-link-abbreviated"
href="mailto:wheel@ucc.asn.au">wheel@ucc.asn.au</a> <a
class="moz-txt-link-rfc2396E" href="mailto:wheel@ucc.asn.au"><wheel@ucc.asn.au></a>;
Jack Bryant <a class="moz-txt-link-rfc2396E"
href="mailto:Jack.Bryant@uwa.edu.au"><Jack.Bryant@uwa.edu.au></a><br>
<b>Subject:</b> Re: Clarification of requirements and plan of
action</font>
<div>�</div>
</div>
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> Hi John,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> It's good to hear from you,
how are you?</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> Things have been very busy
for us working on the <a class="moz-txt-link-freetext"
href="https://unidesk.uwa.edu.au">https://unidesk.uwa.edu.au</a>
solution.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> I've created the ucc.asn.au
domain. I was waiting for you to give me one or two pheme
accounts that I can have access provisioned.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> I see 2 subdomains under
uwa.edu.au delegated to ucc.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> ucc.guild.uwa.edu.au and
ucc.gu.uwa.edu.au, I have created these as subdomains in the
account however it is unlikely from the discussion I've had
these will be able to be maintained as delegated subdomains.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> I've attached the zone
files I have for these zones, if you can check these for
accuracy. I'll have the records added to the parent zone and
delegation removed.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> I will confirm a date with
you before proceeding.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> Moving forward any records
under uwa.edu.au are part of the corporate brand and an
approval process will be required to have names allocated in
the uwa.edu.au domain.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> I can see additional
domains registered in the 130.95.13.0/24 address space.<span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span>didcoe.id.au�<br>
</span>
<div>shmookey.net�<span style="">�</span></div>
<div>unisfa.asn.au�<br>
</div>
<div>�<br>
</div>
<div>Are these required moving forward?</div>
<div><br>
</div>
<div>From out discussions we talked about�<span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">130.95.13.0/26 being route to
the perimeter firewall.</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">Is this the desired outcome for
UCC?</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">I've attached a network scan for
the�<span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span>�</span>130.95.13.0/24
network. Are we in a position to alter the firewall
rules from anything about�<span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">130.95.13.32/26 now?</span></span></span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><br>
</span></span></span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">Thanks</span></span></span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">Paul</span></span></span></div>
<span></span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b> John
Hodge <a class="moz-txt-link-rfc2396E"
href="mailto:tpg@ucc.asn.au"><tpg@ucc.asn.au></a><br>
<b>Sent:</b> Thursday, 9 April 2020 8:27 AM<br>
<b>To:</b> Paul Fisher <a class="moz-txt-link-rfc2396E"
href="mailto:paul.fisher@uwa.edu.au"><paul.fisher@uwa.edu.au></a><br>
<b>Cc:</b> Geoff Costello <a class="moz-txt-link-rfc2396E"
href="mailto:geoff.costello@uwa.edu.au"><geoff.costello@uwa.edu.au></a>;
<a class="moz-txt-link-abbreviated"
href="mailto:tech@ucc.asn.au">tech@ucc.asn.au</a> <a
class="moz-txt-link-rfc2396E"
href="mailto:tech@ucc.asn.au"><tech@ucc.asn.au></a>;
<a class="moz-txt-link-abbreviated"
href="mailto:wheel@ucc.asn.au">wheel@ucc.asn.au</a> <a
class="moz-txt-link-rfc2396E"
href="mailto:wheel@ucc.asn.au"><wheel@ucc.asn.au></a><br>
<b>Subject:</b> Clarification of requirements and plan of
action</font>
<div>�</div>
</div>
<div>Paul,
<p>I haven't seen an update from our discussion several weeks
ago, so I thought I'd put to paper some notes and queries
about the move towards Cloudflare proxying.</p>
<p>My understanding is that UWA has decided (in response to
one of the steps in the ANU data breach) that websites
hosted on 130.95.0.0/16 (UWA's IP range) should not be open
to the general internet, and instead should be protected by
a reverse proxy (in this case, Cloudflare). To this end, DNS
is being pointed at Cloudflare (I assume because the DNS
service comes with the web proxy service?) and eventually
ports 443 and 80 inbound will be closed at the border
firewall (with an exception for the Cloudflare proxies).<br>
</p>
<p>Queries:</p>
<ul>
<li>What is the progress on getting access to the Cloudflare
dashboard? We would like to start on migration of services
before ports 443 and 80 start being blocked.</li>
<li>Are there any other ports (apart from 80/443) that will
be blocked at the border?<br>
</li>
<li>Is there any progress towards treating 130.95.13.0/24 as
"outside" in the core firewall (and thus side-stepping the
need to place UCC services behind Cloudflare)?</li>
</ul>
<p><br>
</p>
<p>Examples of services that cannot work with the Cloudflare
setup (running both HTTP and non-HTTP on the same hostname):</p>
<ul>
<li>GitLab (source control server): This runs both a web
server (for viewing source code, and managing permissions)
and a SSH server (used for uploading code in a secure
manner). Neither of these services support DNS "SRV"
records (which would permit different IP addresses for
HTTP/HTTPS and other services).<br>
</li>
<li>"Big Blue Button" (Video conferencing system): This
sends its video streams over UDP to a collection of high
ports (audio is sent over websockets). This system has
been used to great effect by the clubs impacted by the
COVID-19 Cameron Hall shutdown, to host their normal
events in a virtual space.</li>
<li>We currently have `secure.ucc.asn.au` that "hosts" a
whole range of encrypted services (IMAP, POP3, webmail,
VPN).</li>
</ul>
<p><br>
</p>
<pre class="x_x_moz-signature" cols="72">--
John Hodge [TPG]
UCC Wheel Member</pre>
</div>
</div>
</blockquote>
</body>
</html>