<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
<p>Paul,</p>
<p><br>
</p>
<p>After sending Tuesday's email, I was informed that our off-site
backups use automated inbound ssh connections.</p>
<p><br>
</p>
<p>Could you answer a few questions we still have?</p>
<p>- How will we configure or view the contents of ucc.gu.uwa.edu.au
domain under this new system?</p>
<p>- How will the SSH (port 22) proxying work?<br>
</p>
<pre class="moz-signature" cols="72">John Hodge [TPG]
UCC Wheel Member</pre>
<div class="moz-cite-prefix">On 28/04/2020 10:17 pm, John Hodge
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:a030fadc-38f9-e64c-81e6-c8210d85472f@ucc.asn.au">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<p>Hi Paul,</p>
<p><br>
</p>
<p>Sorry (again) for the delay in answering, but thanks for the
solid timelines.</p>
<p><br>
</p>
<p>We have been waiting for someone to contact either James or Tim
with access to the cloudflare dashboard for ucc.gu.uwa.edu.au,
so we can get it configured with the required hostnames before
the cutover date.<br>
</p>
<p><br>
</p>
<p>We are currently in the process of setting up a cloudflare
account to host our non-UWA domains, which should work as a
temporary measure while progress is made towards treating the
UCC network as separate to the rest of campus.</p>
<p><br>
</p>
<p>Regarding ports to be blocked, thank you for providing the
list. We do make heavy use of port 22 to most hosts (often using
port forwarding), so would want that to continue to work in some
form.<br>
</p>
<p><br>
</p>
<pre class="moz-signature" cols="72">John Hodge [TPG]
UCC Wheel Member</pre>
<div class="moz-cite-prefix">On 22/04/2020 5:38 pm, Paul Fisher
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SYCPR01MB39037ADDED783664BA5FE97EDCD20@SYCPR01MB3903.ausprd01.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> Hi John,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> We had a meeting to
discuss the next steps for UCC, the action items to be
undertaken are.</div>
<div><br style="color: inherit; font-family: inherit; font-size:
inherit; font-style: inherit; font-variant-caps: inherit;">
<ul>
<li><span style="color: rgb(0, 0, 0); font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt;
background: var(--white);">ucc.gu.uwa.edu.au �and�</span><span
style="color: rgb(0, 0, 0); font-family: Calibri, Arial,
Helvetica, sans-serif; font-size: 12pt; background:
var(--white);">ucc.guild.uwa.edu.au delegation�</span></li>
</ul>
<ul>
<li><span style="color: rgb(0, 0, 0); font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt;
background: var(--white);">ucc.asn.au domain</span></li>
</ul>
<ul>
<li><span style="color: rgb(0, 0, 0); font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt;
background: var(--white);">Inbound ports on 22, 53, 80,
and port 443 to the COGLD</span><br>
</li>
</ul>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> 1) All sub delegations of
the uwa.edu.au domain are being remediated and any zone
records hosted outside of the main Cloudflare account will
need to be updated into UWA's cloudflare zone. Completion date
for this is scheduled for Friday the 1st of May. 10:30am</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> 2) For the ucc.asn.au
domain we would ask you create a free account with Cloudflare
under your administrative control. UWA are accepting traffic
from all affiliates via a TLS authenticated channel with
Cloudflare only for https traffic on the perimeter origin F5's</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> UCC will need to create an
origin cert (15 Years) and have someone delegated to update
the cert at short notice if required. I've attached the CSR
for the request.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> You can create as many
subdomains one level deep under the ucc.asn.au via api and
they will be routed to a nominated IP. To support additional
IP's you will need to supply a 1 to 1 url mapping of as many
server IP's as you require. Additional IP's moving forward
will be via a Service Request. I've given an example of how
the url routing is configured on the F5 CF Origin.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> 3) Inbound ports on�<span
style="caret-color: rgb(0, 0, 0); font-family: Calibri,
Arial, Helvetica, sans-serif; text-align: left;
background-color: rgb(255, 255, 255); display: inline
!important">22, 53, 80, and port 443 to the COGLD vrf will
be restricted to UWA Campus and VPN on Scheduled 8th May
2020 10:30am. If you are using SSH for automated inbound
data transfer, it will be reviewed and provision for proxy
will be made available.</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
sans-serif; text-align: left; background-color: rgb(255,
255, 255); display: inline !important"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
sans-serif; text-align: left; background-color: rgb(255,
255, 255); display: inline !important">For the rest of the
services currently in operation a solution to maintain these
inline with Cyber Security requirements of UWA is still in
progress.</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
sans-serif; text-align: left; background-color: rgb(255,
255, 255); display: inline !important"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
sans-serif; text-align: left; background-color: rgb(255,
255, 255); display: inline !important">Thanks</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
sans-serif; text-align: left; background-color: rgb(255,
255, 255); display: inline !important">Paul</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
sans-serif; text-align: left; background-color: rgb(255,
255, 255); display: inline !important"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
sans-serif; text-align: left; background-color: rgb(255,
255, 255); display: inline !important"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
sans-serif; text-align: left; background-color: rgb(255,
255, 255); display: inline !important"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
sans-serif; text-align: left; background-color: rgb(255,
255, 255); display: inline !important"><span>-----BEGIN
CERTIFICATE REQUEST-----<br>
</span>
<div>MIIC6DCCAdACAQAwaTELMAkGA1UEBhMCQVUxEzARBgNVBAoTCkNsb3VkRmxhcmUx<br>
</div>
<div>HTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYwJAYDVQQDEx1DbG91ZEZs<br>
</div>
<div>YXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC<br>
</div>
<div>AQoCggEBAKT9VAUpPJ7PuTuDP3Wm4yYvzUAgkRsh8sDVO1gD2V7wwqW7o6oqnAsX<br>
</div>
<div>wuxBkPRCGY8Yv+LC2Q4HRRx8XwdxFxqQcqD175Rb4Ct9JZRb/wf+uoqZhkaldbCd<br>
</div>
<div>ByxXMweOPYzRsNulFxpBEkIA9H8xW34Vn59GclTm+MZae7TgsfEwVry/EO0pMs97<br>
</div>
<div>nuJg5fLjr0garXqxTL3s8m05qojdfyDhiuPjAabKsDnHfU5A2FGNZOOr8aggAFxR<br>
</div>
<div>L/YExg86fy8YTumO/Jd2JKzaNYY+m/0+8juFJ3zCtQvj9ZoadSKi4NO6nvhRxD7H<br>
</div>
<div>7glrMEI1iHVhaw4mp303qPm9k5qXkw8CAwEAAaA6MDgGCSqGSIb3DQEJDjErMCkw<br>
</div>
<div>JwYDVR0RBCAwHoIOKi5yY3N3YS5lZHUuYXWCDHJjc3dhLmVkdS5hdTANBgkqhkiG<br>
</div>
<div>9w0BAQsFAAOCAQEAXZobpC5a3rv6xAi8Hl9Pa0aBeJkVJglAaaD/E6XBfmFcvyWZ<br>
</div>
<div>Qowy+19m6aIT6PSYaTuvtMpJxoog5VIcGX1vYodIEavZqp/qXJCYknDNCl8Krm8g<br>
</div>
<div>vvycsat/9IdpbATqYvQHvEnn8C88FvH13MkKpi5xUHlwjmGrO4tD2b0pDSF8iqpa<br>
</div>
<div>h6A9MCjkljorlFta9+RTPVMpvb1y9mW7jZ1PFJlkEiqu7pu6tHJpXgpprm6GGib/<br>
</div>
<div>hatMTwkKgdZoOV7Fyd5BY0tLO3t/kA/78k6WNvg3FZG3GbY1i9WG/m2Icpd5BVxs<br>
</div>
<div>yqRqCA1a1xkDBfX/dwrem+MrYABqtj1GUhQb+Q==<br>
</div>
<div>-----END CERTIFICATE REQUEST-----<br>
</div>
<span></span><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
sans-serif; text-align: left; background-color: rgb(255,
255, 255); display: inline !important"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
sans-serif; text-align: left; background-color: rgb(255,
255, 255); display: inline !important"><span>�
�"webdav.rcswa.edu.au"<br>
</span>
<div>� � �{<br>
</div>
<div>� � �pool ip_130.95.169.196_443<br>
</div>
<div>� � �set usessl 1<br>
</div>
<div>� � �}<br>
</div>
<div>� �"*rcswa.edu.au"<br>
</div>
<div>� � �{<br>
</div>
<div>� � �pool ip_130.95.169.205_443<br>
</div>
<div>� � �set usessl 1<br>
</div>
<div>� � �}<br>
</div>
<span></span><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b> John
Hodge <a class="moz-txt-link-rfc2396E"
href="mailto:tpg@ucc.asn.au" moz-do-not-send="true"><tpg@ucc.asn.au></a><br>
<b>Sent:</b> Sunday, 19 April 2020 9:29 PM<br>
<b>To:</b> Paul Fisher <a class="moz-txt-link-rfc2396E"
href="mailto:paul.fisher@uwa.edu.au"
moz-do-not-send="true"><paul.fisher@uwa.edu.au></a><br>
<b>Cc:</b> Geoff Costello <a class="moz-txt-link-rfc2396E"
href="mailto:geoff.costello@uwa.edu.au"
moz-do-not-send="true"><geoff.costello@uwa.edu.au></a>;
<a class="moz-txt-link-abbreviated"
href="mailto:tech@ucc.asn.au" moz-do-not-send="true">tech@ucc.asn.au</a>
<a class="moz-txt-link-rfc2396E"
href="mailto:tech@ucc.asn.au" moz-do-not-send="true"><tech@ucc.asn.au></a>;
<a class="moz-txt-link-abbreviated"
href="mailto:wheel@ucc.asn.au" moz-do-not-send="true">wheel@ucc.asn.au</a>
<a class="moz-txt-link-rfc2396E"
href="mailto:wheel@ucc.asn.au" moz-do-not-send="true"><wheel@ucc.asn.au></a>;
Jack Bryant <a class="moz-txt-link-rfc2396E"
href="mailto:Jack.Bryant@uwa.edu.au"
moz-do-not-send="true"><Jack.Bryant@uwa.edu.au></a><br>
<b>Subject:</b> Re: Clarification of requirements and plan
of action</font>
<div>�</div>
</div>
<div>Paul,<br>
<p><br>
Sorry for the delay in answering, my small bits of free time
have been taken up with adjusting to this social distancing
thing (and I maybe spent too much effort on this email,
trying to avoid confusion).<br>
<br>
Your email has raised some more questions, and doesn't seem
to have really addressed our queries.</p>
<p><br>
</p>
<p>From what I can glean, there's two primary tasks that your
team is trying to address.<br>
</p>
<ul>
<li>UWA wants central control and approval of all subdomains
of .uwa.edu.au</li>
<ul>
<li>Nick's email on 2020-04-17 12:10 covers parts of this
relatively well, so I won't be addressing it in this
email.</li>
</ul>
<li>There should be no externally-accessible services on the
130.95.0.0/16 network that aren't either proxied through
Cloudflare (For HTTP/HTTPS) or explicitly whitelisted.</li>
</ul>
<p><b><br>
</b></p>
<p><b>Addressing your questions</b><br>
</p>
<p><b><br>
</b></p>
<p><b>> You might consider the we are going to running the
whole university on less than that.</b></p>
<p>Do you mean that UWA plan on exposing less than 64 hosts to
the public internet? Does this count various faculty
services (e.g. the computer science department's user
servers).</p>
<p><br>
</p>
<b>> </b><b><i>Are we in a position to alter the firewall
rules from anything about 130.95.13.32/26 now? (Ed: </i></b><b><i>130.95.13.0/26)</i></b>
<p>What particular changes are you referring to? As Nick
covered in his email - we still don't have a working
Cloudflare setup, so blocking port 443/80 will break all
websites hosted within the UCC network. Additionally,
blocking port 53 will have similar impacts (including
preventing our SSL certificates from updating).</p>
<p><br>
</p>
<p>If you mean blocking any access to addresses outside
130.95.13.0/26, then that is also not yet possible as we
have services scattered throughout the address range.</p>
<p>Some context: We've separated our range into four regions:
trusted hosts ("machine room" - physically isolated
network), semi-trusted ("clubroom" - wired network in a
semi-public space), member virtual machines, and then the
upper quarter for misc services (e.g. NAT and VPN). There
are public services (see the list below) that live in many
parts of this range for various reasons.<br>
</p>
<br>
<br>
<b>> </b><b><i>If you could have a look at the scan list
provided and give a brief description of the hosts and
there purpose from an educational purpose.</i></b><br>
<p>I've included at the end of this email a (maybe not
too-brief) summary of each host on your list, and what
services they provide. Many of those hosts were just
exposing SSH (port 22), used for authenticated remote
access.</p>
<p><br>
</p>
<p>However - while the individual computers provide some
assistance towards the club's primary objective (which,
according to the constitution, is "for the advancement of
computer science and technologies") by facilitating the
development of interesting projects (e.g. the iodine VPN
server, dropbear ssh server, and compute power for several
PHD projects) - it is the role of the UCC network as a whole
is the most relevant to this discussion.</p>
<p><br>
</p>
<p>The UCC network in its current form (minimally fire-walled,
overseen by "old guard") provides an enterprise-like
environment for aspiring system administrators to develop
and practice skills that would otherwise only be available
via expensive training courses or years of industry
experience. The services hosted by the UCC (e.g. a library
catalog for the science-fiction club) assist the greater UWA
community, and provide a set of clients who are (usually)
understanding when things break due in this learning
process.</p>
<p><br>
</p>
<p><i>Short version</i>: It's the network itself that provides
the largest educational benefit, without that we're just a
computer lab.<br>
</p>
<br>
<p><br>
</p>
<p><b>Further Questions:</b></p>
<ul>
<li>Is there any progress/possibility of UCC continuing to
run a minimally fire-walled network segment (as we have
done for over 20 years).</li>
<ul>
<li>We use our own border firewall, which is rather
selective in what ports are opened for each host.</li>
<li>Historically, it's only port 25 (SMTP) that has been
blocked at the UWA border, to prevent students from
sending spam.<br>
</li>
</ul>
<li>If not: What size network segment can be left for us to
firewall? You seem to be implying that a /26 is
acceptable?</li>
<ul>
<li>It'll take a few weeks to reorganize our network to
move all public hosts into one block, see above comments
about the network layout.</li>
</ul>
<li>What network ports are intended to be wholesale blocked?</li>
</ul>
<br>
<br>
<p><b>A summary of each host with open ports</b></p>
<ul>
<li>.1 (murasoi) is our primary router, it (like all other
servers) exposes SSH for remote management. All publicly
accessible SSH servers are protected by fail2ban to
prevent brute-force attacks</li>
<li>.3 (mailauesi) is a proxy host for our mail services -
exposing authenticated SMTPS, IMAPS, and POP3S</li>
<li>.6 (gitlab) is our source control server, running SSH
(for both management and "git push") and HTTPS (for the
web interface)</li>
<li>.7 (motsugo) is our primary user shell server (hence ssh
& ident) and mail retrieval server (IMAPS and POP3S)</li>
<li>.8 (flame-tunnel) is firewall magic that forwards
traffic on any port to the "Flame" chat service on port
4242. We're looking into decommissioning this one.<br>
</li>
<li>.9 (mooneye) is our DNS and mail server, also used to
run our wiki (HTTP/HTTPS, it's been moved in the last few
weeks).</li>
<li>.10 (myxine) is the machine that hosts our OCS Inventory
system. This operates over HTTPS, hence that port
responding.</li>
<li>.11 (ssh) is also firewall magic, this time forwarding
all ports to SSH on port 22</li>
<li>.12 (ext-mx) is a legacy alias for mooneye, so responds
on the same ports.</li>
<li>.18 (mussel) is our secondary shell server, and main web
server (host user websites and the club's website)</li>
<li>.28 (secure) is firewall magic to distribute services to
multiple computers (from before SSL certificates were
free)</li>
<li>.34 (uccmonitor) is our monitoring dashboard, public so
members can check up on system health</li>
<li>.36 (uccportal) is our member signup system</li>
<li>.38 (meetings) is our video/voice conferencing system,
set up as the COVID situation evolved for use for tech
talks. This server also uses UDP for video feeds.</li>
<li>.48 (titan) is a user server (An ARM architecture
machine), hence SSH</li>
<li>.66 (heathred) is our general games server, often a new
admin's first learning ground.</li>
<li>.72 (maaxen) is a Windows server (running a web server
for windows-only web services)</li>
<li>.68 (unisfa-koha) is the library system for a
neighboring club (web service)</li>
<li>.109 (eggman) is our clubroom music system.</li>
<li>.111 (evil) is a co-located machine run by a life
member, does lightweight monitoring of the machine room
and network (showing these results on a static webpage).</li>
<li>.137 (workhorse) is another shell machine (for doing
heavy-duty computation)</li>
<li>.138 (chordata) is a member VM. Runs ssh and a web
server</li>
<li>.146 (enemy-territory) is a game server VM, gets quite a
bit of exercise now that we can't be on-campus to play
together</li>
<li>.148 (experiments) is another member VM</li>
<li>.174 (diamond) is a member VM running a minecraft server</li>
<li>.177 (minecraft2019) is a club-operated minecraft VM</li>
<li>.185 (frekk-ucc) is a member VM with just ssh</li>
<li>.187 (james1-server) another member VM, just hosts a
silly and static website (and ssh)</li>
<li>.189 ("Livorno") is another member VM</li>
<li>.190 (bluering) is another member VM.</li>
</ul>
<p>Note: We're in a flurry of upgrades and restructuring at
the moment (Bored admins looking for things to do), leading
to services being shuffled between hosts. (E.g. the wiki
being moved off mooneye)<br>
</p>
<ul>
</ul>
<pre class="x_moz-signature" cols="72">John Hodge [TPG]
UCC Wheel Member</pre>
<div class="x_moz-cite-prefix">On 14/4/20 10:58 am, Paul
Fisher wrote:<br>
</div>
<blockquote type="cite">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> Hi John,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> My apologies.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">130.95.13.0/26 is on the 64
boundary.</span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">Anything above�<span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">130.95.13.64 can be
restricted?</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">You might consider the we
are going to running the whole university on less than
that.</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">If you could have a look at
the scan list provided and give a brief description of
the hosts and there purpose from an educational
purpose.</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">It doesn't have to be in
great detail, just something that provides a value
proposition for education within the UWA core business
setting.</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">Something I can use to
justify maintaining the services published in the UWA
network space.</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">Thanks</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><br>
</span></span></div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri, sans-serif"
color="#000000"><b>From:</b> Paul Fisher <a
class="x_moz-txt-link-rfc2396E"
href="mailto:paul.fisher@uwa.edu.au"
moz-do-not-send="true"><paul.fisher@uwa.edu.au></a><br>
<b>Sent:</b> Tuesday, 14 April 2020 10:31 AM<br>
<b>To:</b> John Hodge <a
class="x_moz-txt-link-rfc2396E"
href="mailto:tpg@ucc.asn.au" moz-do-not-send="true">
<tpg@ucc.asn.au></a><br>
<b>Cc:</b> Geoff Costello <a
class="x_moz-txt-link-rfc2396E"
href="mailto:geoff.costello@uwa.edu.au"
moz-do-not-send="true">
<geoff.costello@uwa.edu.au></a>; <a
class="x_moz-txt-link-abbreviated"
href="mailto:tech@ucc.asn.au" moz-do-not-send="true">
tech@ucc.asn.au</a> <a
class="x_moz-txt-link-rfc2396E"
href="mailto:tech@ucc.asn.au" moz-do-not-send="true">
<tech@ucc.asn.au></a>; <a
class="x_moz-txt-link-abbreviated"
href="mailto:wheel@ucc.asn.au" moz-do-not-send="true">
wheel@ucc.asn.au</a> <a
class="x_moz-txt-link-rfc2396E"
href="mailto:wheel@ucc.asn.au" moz-do-not-send="true">
<wheel@ucc.asn.au></a>; Jack Bryant <a
class="x_moz-txt-link-rfc2396E"
href="mailto:Jack.Bryant@uwa.edu.au"
moz-do-not-send="true"> <Jack.Bryant@uwa.edu.au></a><br>
<b>Subject:</b> Re: Clarification of requirements and
plan of action</font>
<div>�</div>
</div>
<div dir="ltr">
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> Hi John,</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> It's good to hear
from you, how are you?</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> Things have been very
busy for us working on the <a
class="x_moz-txt-link-freetext"
href="https://unidesk.uwa.edu.au"
moz-do-not-send="true"> https://unidesk.uwa.edu.au</a>
solution.</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> I've created the
ucc.asn.au domain. I was waiting for you to give me one
or two pheme accounts that I can have access
provisioned.</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> I see 2 subdomains
under uwa.edu.au delegated to ucc.</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> ucc.guild.uwa.edu.au
and ucc.gu.uwa.edu.au, I have created these as
subdomains in the account however it is unlikely from
the discussion I've had these will be able to be
maintained as delegated subdomains.</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> I've attached the
zone files I have for these zones, if you can check
these for accuracy. I'll have the records added to the
parent zone and delegation removed.</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> I will confirm a date
with you before proceeding.</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> Moving forward any
records under uwa.edu.au are part of the corporate brand
and an approval process will be required to have names
allocated in the uwa.edu.au domain.</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> I can see additional
domains registered in the 130.95.13.0/24 address space.<span></span></div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <span>didcoe.id.au�<br>
</span>
<div>shmookey.net�<span style="">�</span></div>
<div>unisfa.asn.au�<br>
</div>
<div>�<br>
</div>
<div>Are these required moving forward?</div>
<div><br>
</div>
<div>From out discussions we talked about�<span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">130.95.13.0/26 being route
to the perimeter firewall.</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">Is this the desired
outcome for UCC?</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><br>
</span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">I've attached a network
scan for the�<span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span>�</span>130.95.13.0/24
network. Are we in a position to alter the
firewall rules from anything about�<span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">130.95.13.32/26 now?</span></span></span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><br>
</span></span></span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">Thanks</span></span></span></div>
<div><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
background-color:rgb(255,255,255);
display:inline!important">Paul</span></span></span></div>
<span></span><br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_x_divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri, sans-serif"
color="#000000"><b>From:</b> John Hodge <a
class="x_moz-txt-link-rfc2396E"
href="mailto:tpg@ucc.asn.au" moz-do-not-send="true"><tpg@ucc.asn.au></a><br>
<b>Sent:</b> Thursday, 9 April 2020 8:27 AM<br>
<b>To:</b> Paul Fisher <a
class="x_moz-txt-link-rfc2396E"
href="mailto:paul.fisher@uwa.edu.au"
moz-do-not-send="true">
<paul.fisher@uwa.edu.au></a><br>
<b>Cc:</b> Geoff Costello <a
class="x_moz-txt-link-rfc2396E"
href="mailto:geoff.costello@uwa.edu.au"
moz-do-not-send="true">
<geoff.costello@uwa.edu.au></a>; <a
class="x_moz-txt-link-abbreviated"
href="mailto:tech@ucc.asn.au" moz-do-not-send="true">
tech@ucc.asn.au</a> <a
class="x_moz-txt-link-rfc2396E"
href="mailto:tech@ucc.asn.au" moz-do-not-send="true">
<tech@ucc.asn.au></a>; <a
class="x_moz-txt-link-abbreviated"
href="mailto:wheel@ucc.asn.au"
moz-do-not-send="true"> wheel@ucc.asn.au</a> <a
class="x_moz-txt-link-rfc2396E"
href="mailto:wheel@ucc.asn.au"
moz-do-not-send="true"> <wheel@ucc.asn.au></a><br>
<b>Subject:</b> Clarification of requirements and plan
of action</font>
<div>�</div>
</div>
<div>Paul,
<p>I haven't seen an update from our discussion several
weeks ago, so I thought I'd put to paper some notes
and queries about the move towards Cloudflare
proxying.</p>
<p>My understanding is that UWA has decided (in response
to one of the steps in the ANU data breach) that
websites hosted on 130.95.0.0/16 (UWA's IP range)
should not be open to the general internet, and
instead should be protected by a reverse proxy (in
this case, Cloudflare). To this end, DNS is being
pointed at Cloudflare (I assume because the DNS
service comes with the web proxy service?) and
eventually ports 443 and 80 inbound will be closed at
the border firewall (with an exception for the
Cloudflare proxies).<br>
</p>
<p>Queries:</p>
<ul>
<li>What is the progress on getting access to the
Cloudflare dashboard? We would like to start on
migration of services before ports 443 and 80 start
being blocked.</li>
<li>Are there any other ports (apart from 80/443) that
will be blocked at the border?<br>
</li>
<li>Is there any progress towards treating
130.95.13.0/24 as "outside" in the core firewall
(and thus side-stepping the need to place UCC
services behind Cloudflare)?</li>
</ul>
<p><br>
</p>
<p>Examples of services that cannot work with the
Cloudflare setup (running both HTTP and non-HTTP on
the same hostname):</p>
<ul>
<li>GitLab (source control server): This runs both a
web server (for viewing source code, and managing
permissions) and a SSH server (used for uploading
code in a secure manner). Neither of these services
support DNS "SRV" records (which would permit
different IP addresses for HTTP/HTTPS and other
services).<br>
</li>
<li>"Big Blue Button" (Video conferencing system):
This sends its video streams over UDP to a
collection of high ports (audio is sent over
websockets). This system has been used to great
effect by the clubs impacted by the COVID-19 Cameron
Hall shutdown, to host their normal events in a
virtual space.</li>
<li>We currently have `secure.ucc.asn.au` that "hosts"
a whole range of encrypted services (IMAP, POP3,
webmail, VPN).</li>
</ul>
<p><br>
</p>
<pre class="x_x_x_moz-signature" cols="72">--
John Hodge [TPG]
UCC Wheel Member</pre>
</div>
</div>
</blockquote>
</div>
</blockquote>
</blockquote>
</body>
</html>