RESNET

About ResNet

Related links

Server regulations

Most users of ResNet use the network for client applications such as web and email. However we are aware that some users have broader needs to run servers as well as clients. We allow this as much as possible, as long as it does not cause problems with security, bandwidth or disruption of other services.

Before running any server software you must read and agree to this document. Then email the ResNet help desk and ask for permission, detailing what services you wish to offer, the ports on which they will run, and the OS and software you will use to do so. There are certain services that you won't be permitted to run as they could interfere with the correct operation of the network. Other servers are fine, or allowed providing they are configured in a certain way.

If in any doubt about the regulations on servers, always contact the ResNet Helpdesk for advice.

Restrictions on all servers

You must be aware and agree that:

  • You must ensure that your computer is secure and cannot be broken into by someone else. Keeping a server secure can be a difficult task as new vulnerabilities are continually reported. You need to subscribe to relevant mailing lists and apply patches as soon as they are available.
  • Note that under the ResNet regulations if someone else takes over your computer system and breaks the regulations you will also be held responsible for those actions due to your negligence in not securing the system.
  • ResNet is intended for educational and personal use only - we can't permit commercial use as this would break agreements under which the University receives its network access. Commercial use, for example would include hosting a website for a company external to the University.
  • You must abide by the ResNet regulations and the law on copyright. You must not make copyrighted materials available to other people without permission from the copyright holder.
  • Logs must be made of all service access and kept for a minimum of 6 weeks. A daily time sync with ntp0.resnet.bristol.ac.uk or time-srv.resnet.bristol.ac.uk is required to ensure date and time are accurate.
  • If any non-anonymous services are offered to people other than the registered ResNet user, then accounts on the machine must conform to the University common username scheme.
  • Only people who are members of the University with an email address @bristol.ac.uk may be registered on any system.
  • A number of services are firewalled out so that connections on certain ports from outside the University will never reach servers on ResNet. This is done to protect vulnerable systems from automated attacks and notably includes web, ftp and telnet servers. We cannot make exceptions to these restrictions on a case by case basis, and may add further restrictions at any time it becomes necessary. Fewer restrictions are in place between ResNet and the rest of the University so that educational use is not discouraged. Access from outside the University is possible only if the server is running on a non-standard port.
  • There are no guarantees that your network connection will stay up permanently. There will be interruptions due to scheduled maintenance or unexpected problems.
  • Bandwidth is limited collectively in incoming and outgoing directions. If your server generates very large amounts of traffic to the detriment of other users you will be required to stop it.
  • Your IP address is likely to stay the same for very long periods but may change. Your dns registration will remain constant for the whole year. Check your IP address and then use this to find out your DNS name. If you need to give your server address to someone else or access your server yourself from elsewhere, use the DNS name.
  • The University may port-scan the network including your system for security reasons to see what services are operating.
  • You are responsible for ensuring that your server is correctly licensed. For example, if you are using windows NT or Windows 2000 you must have necessary connector licenses for the services you offer.
  • ResNet now operates a default deny firewall for unsolicited incoming connections from outside the University. Connections from other parts of the University network are not restricted. Certain ports are allowed through the firewall for servers such as web or SSH server, but these are not the standard ports. See constrained services below.

Proscribed Services

These may not be offered under any circumstances:

  • DHCP/BOOTP (ports 67 and 68)
  • Any routing protocols
  • PCNFSD (this is an rpc based services, so ports vary)
  • NNTP (port 119) (i.e. must not operate a Usenet News server)
  • Any "reflector" type services (eg as used by an Mbone aware node to redistribute mulicast traffic)
  • Any dial in services
  • Authentication type services (eg kerberos)
  • Any proxy services that redistribute network access

Constrained services

These services can be offered provided they are configured as below.

1. FTP

Anon FTP servers must conform to Information Services guidelines. In particular anonymous FTP uploads are not allowed. Do not set up a non-anonymous FTP server as credentials are transmitted in the clear.

2. Email (port 25)

2.1 System must be configured to "masquerade" as .bristol.ac.uk, but non-person identifiers must be "exposed" (in sendmail speak). This means that mail sent from a user account (eg ab0123) must appear to come from ab0123@bristol.ac.uk (a valid address) but mail from the root account and other non-personal accounts must not appear to come from root@bristol.ac.uk

2.2 Mail sent from outside of the Bristol network to addresses of the form whomever@whatever.resnet.bristol.ac.uk will not (ever) be deliverable.

2.3 Mail transfer agent must deny all mail relay operations

2.4 Mail transfer agent must be configured to transmit all messages via smtp-srv.resnet.bristol.ac.uk

3. DNS

If a DNS server is run, it must be configured to deny all zone transfer requests. Must be configured to pull zone data from dns1.resnet.bristol.ac.uk.

4. SSH

If you wish your SSH/SFTP server to be accessible from outside the University, your server must be configured to run on port 2222. This port is specfically allowed through the firewall for this purpose.

5. Web

If you wish your web server to be accessible from outside the University, your web server must be configured to run on port 8008. This port is specfically allowed through the firewall for this purpose.