Saturday, July 09, 2005

What Does Your ISP Block?

The only low cost broadband provider in my neighborhood is Comcast. I determined this evening that they block ports 135-139 and 445 TCP inbound and outbound. What ports does your ISP block? I am seriously considering getting a T-1 from Speakeasy.

25 comments:

David Bianco said...

Cox blocks a similar range, including outgoing port 25 (to cut down on outgoing spam). Before moving to another provider for a T1, though, you might investigate whether Comcast offers business class cable modem service. Cox does, and they don't restrict these ports. It also lets you host servers without breaking your TOS. Service runs about $100/month.

jeraklo said...

My ISP (T-Com Croatia) lets every user choose his own blocking ports. As far as I know, ACLs are implemented directly into NAS equipment. User is provided with simple web GUI to choose predefined firewall profile (no firewall, recommended fw, advanced fw) or to customize his own blocked ports. New users are automatically signed to recommended fw profile. This service is also a free one (added-value). Neat. :)

Scott said...

Like David said, Cox block outgoing port 25, of course I got around this by making their smtp server the "smarthost" for an smtp server I run for a friend. Worked fine for me :)

Richard Bejtlich said...

Scott, would you mind expanding on what that means and how you set it up?

Scott said...

Well basically I wanted mail sent locally to be forwarded to me, I hunted around for solutions to do this with sendmail. One thing I did know was I could communicate with the SMTP server at Cox. Dug around in sendmail.cf and one of the options is a "Smart" relay host. I set that and restared sendmail.

All mail starts going through, here is the line in sendmail.cf:

DSsmtp.east.cox.net

The I made a alias for root to go to another external address.

Scott

Chris Buechler said...

My cable ISP (insightbb.com) also blocks 135-139 and 445 TCP inbound and outbound. Nothing else though, so it's bearable for me. Can make things difficult when doing a pen test or vulnerability assessment, but I have a box at a colocation facility I can use for those ports if need be.

Honestly I wouldn't even consider a T1 at home. Way too pricey for way too little bandwidth. True, it's far more reliable, and if it does go down it'll be back up quickly. But I can live with a total of a day or two a year of downtime for the price/performance difference. Full T1 is $500/month here, my 6 Mb down, 512 Kb up cable modem is $90/month. Unless downtime costs you dearly, or you really need the upload speed, T1's aren't the best solution.

Of course my cable provider's network is pretty solid. Low latency (30-50 ms), good speeds (full 6 Mb almost always, when the remote server can handle it), and not a whole lot of downtime. I know those things aren't true many times with residential broadband providers though, in which case a T1 might make more sense.

Joao Barros said...

I work for a Cable ISP and while we do not block any ports, some tests were done to do so and the plan was to block either all <1024 ports or some specific ports (like 135-139, 445 and 25 as already mentioned), the size of the bootfile of the modem being the limiting factor.
The idea was to assign this type of restriction to all home based subscriptions (with a drop out option) and unblocked to professional subscriptions.

From the ISP's side I can only say, and after accounting the reason for all the problems we must handle (abuse, spam, pishing, zombies, etc) and that reason being Windows based machines, that I agree with this practice.
From the customer side, and not as your ordinary Windows user, I wouldn't want to be limited in any way, and would require the ISP to allow me to choose, not having this imposed.

Btw, I find those prices high. Is there any limitation on traffic? (normal plans on my ISP have 20GB national and 2GB international traffic included)

Anonymous said...

I'm happy with Speakeasy. Very user-friendly Terms of Service even for a residential connection. They don't block anything and allow servers.

That should be the case for any business-class connection no matter the ISP.

Anonymous said...

I'm a happy, long-time Speakeasy DSL customer. No filtering at all that I can detect. I host incoming SMTP connections and make my own outgoing SMTP connections without having to use a smarthost or relay. Very good customer service, but expensive. My 13-year old son sometimes complains of lag when playing Halo2, but I think Richard has a few more years before he has to worry about complaints like that from his family.

ugob said...

Richard, what Scott meant that his ISP blocks outbound port 25, except to their own mail servers. Makes sense to prevent spam.

What he explained is how he manage to have an outgoing SMTP server at home by using the smart host feature.

My ISP at home only blocks 25 outbound like this, but all inbound ports are open. I like that :-).

I guess the problem with your current ISP is testing? I think the best solution would be to get cheap web hosting somewhere with ssh access, and make sure they're now firewalling anymore. You can then ssh to the box and use commands on the server, or even use ssh tunelling and redirect ports from your computer.

RedEyeTek said...

I had a Speakeasy DSL for a couple years before I moved and not only did it never go down but they never appeared to block anything. They would however turn me off if the traffic coming from me was a worm or something.

I am thinking about getting a t-1 myself when my house is completed getting built.

higB said...

Cox business blocks netbios and a number of ports even though the sales people claim it was "unfiltered" (un-filtered in their minds means 25 and 80 are ok.)

I hate Cox so much I think I will blog about how to sue ISP's for blocking ports.

By blocking ports, they are technically offering a security service (bye-bye "common carrier" shield here),.. and if a user get's hacked, that security service is deficient.


DIE COX!

Anonymous said...

Rich,

I saw that in the Merchandiser advert flyer that I get like bi-weekly on the south end of Manassas (~5 miles north of Dumfries on 234) that there is a wireless ISP called TRANSCON offering services. Doesn't give much detail, but you may want to call/try them. They claim service is available in all of Manassas, so you're probably in the area of coverage at both home & office locations. They say they'll have all of PWC covered in 2006.

Let us know what you find out.

Thomas

Richard Bejtlich said...

Thomas, funny you should mention Transcon. They are opening an office in the mall where I get my dry cleaning done. I'll drop by when their new location is open.

Bentley said...

I had Speakeasy for a while and must say they are a top notch ISP. Unfortuantly copper can only go so far, eventually their DSl packages won't be able to keep up with FIOS for even cable. I unfortuantly have Comcast now, but plan on FIOS as soon as I can get it. From what I understand from BBR, for an extra 10 a month you can have no port blocking bringing the total to 59.99 for a 15 Mbs connection. That's just what I have seen at BBR though, I wonder if it's true or not.

marissa said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

I hate Cox the most. Cox Blocks all my ports. All 65,500 or so. Hell, they even band me from the site http://www.stupidcensorship.com. Im 24 years old with no kids, and they are trying to tell me what I can and can't watch or view. And I pay for this *%&#! Now your gonna tell me I gotta pay more to get it uncensored. Soon, people will be paying for air to breave. Or Die

Anonymous said...

Armstrong Cable blocks all incoming ports 1024 and below. This royally sucks considering the price I'm already paying for this stupid connection. I called them to ask for the ports to be opened and all they told me that I could do was pay $90 for a business connection.

I could always change port numbers around, but why fiddle with remembering port numbers and setting up client packages special ways just to get my connection to work?

I wasn't exactly too happy about it, but I need the bandwidth and DSL in this area just can't provide 5Mb down, 512k up. I'd really be interested in seeing what can be done legally about this. If I'm paying for my bandwidth, I should be able to use it any way shape or form (within the law) that I choose.

Anonymous said...

You're not actually "paying for bandwidth" as you would for a carrier interconnect. You're subscribing to access to their network, therefore they have rights to protect the integrity of their network. To compensate for greater risk of abuse and to help fund abuse response teams, business subscriptions cost more.

My company operates a carrier and we filter ports based on subscription level exactly for this reason. We are responsible to our carrier to keep our network clean and to prevent abuse, so the accounts are tiered and priced based on risk of abuse and predicted bandwidth usage.

We do have special pricing options for low-usage customers who wish to run servers from home for non-business purposes, but each of us has to do his/her part to keep the malicious and/or annoying traffic controlled on the Internet to keep it a usable environment.

resort in the philippines said...
This comment has been removed by a blog administrator.
docsharp01 said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
dghnfgj said...
This comment has been removed by a blog administrator.
gavin said...
This comment has been removed by a blog administrator.