Changes in the CERN Firewall Openings

As agreed between departments and LHC experiments on the last ITSRM meeting, the default configuration of CERN’s outer perimeter firewall will be changed such that outgoing traffic from source ports 1-1023/tcp and 1-1023/udp will be blocked by default. Exceptions for NTP might be kept. These measures will be applied from Tuesday 13 March. Existing firewall openings for incoming traffic will not be affected.

Currently, correct usage of the TCP and UDP protocol prevents the use of these lower ports when establishing a client connection and, indeed, the current outgoing traffic on these ports is remarkably low. Only misconfigured or “malicious” devices were observed using these ports. With this closure, such traffic will be blocked within CERN and without polluting the Internet.

For comments and further information, please contact us at

by Computer Security Team