What ports are blocked on Telus Fibre business internet accounts with dynamic ip addressing? Answer

Reply
CanuckRS
Connector

We now have a Business fibre 150/150 plan which is great but they still block all the same ports as for residential internet.  We had to upgrade to a static ip address in order to get 80/443 open.  A list of blocked ports for business dynamic ip address accounts.

 

The following ports will have inbound (ingress) and in some cases outbound traffic blocked.

Security Measures - Blocked Ports          

Issue     Solution

TCP 21 (ftp)       

 

    Clients running an FTP server will no longer be able to have Internet users connect to their server.

    Many clients' computers are used as FTP servers to store illegal files.

 

TCP 25 (smtp)   

 

    Clients running a SMTP mail server will no longer be able to receive e-mail requests, nor will it allow outbound traffic for mail servers external to the TELUS.NET, TELUS IDCs and Hostopia networks on port 25.

    This prevents mail servers that operate as an open relay.  Open relays are used without client's knowledge to send millions of pieces of Spam.

 

TCP 53  

 

    This port is being added to our security measure policy in response to DNS DoS attacks.

 

TCP 80 (www)  

 

    Clients running a Web server will no longer be able to have Internet users connect to their server.

    Common exploit on old Window IIS server and Linux boxes that are not properly patched.

 

TCP 110 (pop3)

 

    Clients running a POP mail server will no longer be able to have Internet users connect to the server.

    Prevent mail servers that operate as an open relay.  Open relays are used without a client's knowledge to send millions of pieces of Spam.

 

TCP 6667 (ircd)

 

    Clients running an IRC server (Internet Relay Chat) will no longer be able to have Internet users connect to the server.

 

TCP/UDP 135-139 (dcom and netbios)   

 

    These ports are commonly exploited by worm viruses.

    135 Windows RPC

    136 PROFILE Naming System (basically unused)

    137-139 Windows NetBios

 

TCP/UDP 443 (ssl)           

 

    Clients will not be able to accept inbound ssl connections on this port.

    There is no ability to differentiate traffic and packets sent from a POS machine (rather than a server).

    Client IP Point Of Sale (IP POS) devices are not blocked. No need for a Server plan for IP POS.

 

TCP/UDP 445 (ms-ds)    

 

    Microsoft Directory Services - Clients that allow legitimate Internet users access to their computers will lose this ability.

    This allows hackers to directly connect to a Windows based computer and gain total control over the OS.

 

TCP/UDP 1433-1434 (ms-sql)     

 

    Microsoft SQL server - Clients running an SQL server will no longer be able to have Internet users connect to their server.

    There are several  worm viruses that exploit holes in SQL server

JTL
Connector

Yeah. And how is IPv6 handled on business plans, still a dynamic prefix?

Highlighted
Moderator
Moderator

Hi @JTL, yes IPv6 still does use a dynamic prefix.

JTL
Connector

Unfortunate. How do you expect business clients to run servers/VPNs over IPv6 then?

Moderator
Moderator

Hi @JTL, this won't always be the case. For now, if an organization requires the use of a static IPv6 address, they would need to explore a managed solution, which we do offer.