Port blocking... STILL?

Friendly Neighbour

Port blocking... STILL?

So, this is directed at telus more than anything, but its customers should be aware of this...

There's been around a thread a month about this going back for a couple years. If you decided to run a web server, mail server, vpn, file storage, cctv system, home automation, or anything else that's in your home and accessible from outside, you'd drop all your money on the hardware, get home to set it up, and then find that it doesn't work because telus blocks all useful incoming ports.

There was a time when this would be an acceptable practice, but that was a long, long time ago. NO OTHER ISP - SHAW, BELL, EVEN THE SMALLER ONES - DOES THIS! It's telus' way of selling you a business package. If you want to set up a personal website or email or anything else, their response (I called about it today... again) is "we're not trained to change that, but if you want a business package", followed, essentially, by 'f*** you, you peasant, buy the **bleep** business package". This is unacceptable, enough already. This shows no benefit for security or privacy, and no benefit for telus, since someone running a commercial website would crash through their data limits almost instantly and get charged out the ass for it.

So Telus, please, just do the reasonable thing and stop blocking ports. Let your customers use the services they pay you for, before they start looking elsewhere. Between the service, the speed, the prices, the quality of the hardware we're forced to use, you guys cannot afford ANOTHER black spot on your reputation.

Reply
33 REPLIES 33
Connector

Here is the latest list of blocked ports. I got it using NMAP running on a Windows 10 PC connected to the bridged port of my modem with the firewall disabled. (My service is DSL.)

 

19/tcp filtered chargen
21/tcp filtered ftp
25/tcp filtered smtp
53/tcp filtered domain
80/tcp filtered http
110/tcp filtered pop3
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1433/tcp filtered ms-sql-s
1434/tcp filtered ms-sql-m
6667/tcp filtered irc
7547/tcp filtered unknown

Looks like they added port 19 and port 53 since the last time someone posted the list.

 

I have a very hard time accepting these ports being blocked:

 

21/tcp filtered ftp
53/tcp filtered domain
80/tcp filtered http

Reply

Port 53 is often blocked because of people who leave DNS servers in default UDP configurations which allows being used in a DoS attack but other then that I agree with you.

0 Likes
Reply

port 80 is still blocked in 2018? (almost 2019) >  Purefiber but not pure internet 

 

 

 

0 Likes
Reply

The port blocking was never intended to be a temporary measure.

From what I understand, it is blocked because hosting servers, as I mentioned before, is part of the commercial services, not the residential one.

Whining about it "still" being blocked, entitling threads about it "still" being blocked - they never said they would "un block" it.  This is not a task that isn't done yet.

 

From mthe T&C

 

13. You are not permitted to operate an e-mail, web, news or other similar server through a Services account, except where such use is expressly permitted under your service plan.

 

There are ways around it, as has been pointed out, but this is an industry standard thing for home services.  They do block certain ports.

0 Likes
Reply

Use of port 80 does not automatically mean commercial use. 

Today almost every home with a internet connection almost has alt east two devices with a HTTP, HTTPD, light-httpd server running on port 80 

 

"industry standard thing for home services. "

Telus does not mean industry Standard. 

0 Likes
Reply

 

I have a lot of things on my network and don't need port 80. plus everything works fine.

"Today almost every home with a internet connection almost has alt east two devices with a HTTP, HTTPD, light-httpd server running on port 80"

 

What are you talking about?  The collection of internal devices that have web based administration?  Printer for example?  There are a lot of things that are inside and use that port, yes.  But since you can map only one to external access (if it did work) and it is not something one would want to have exposed to the internet. 

Most people don't have things that they want/need to access externally on port 80.  

Next thing you'll be complaining about needing multiple IP addresses.

 

Lots of residential ISP's block this port.  

Most of what Telus does is the same sort of thing most internet providers do.  And generally speaking, they do it quite well.

 

0 Likes
Reply

Thats a socialist way of thinking. This is Canada.


Not everyone needs more than 1 IP address. Not everyone uses or needs a router.  You can argue all you want and if you take a look at other Major and small ISPs they do not close port 80 . 

 

Shaw - no 

Teksavvy - NO

VMedia (using Telus IPs sometimes) - NO

Lightspeed  (using Telus IPs sometimes) - NO

 

 

Who are these other ISPs you speak about? 

0 Likes
Reply

There's your answer, switch to Shaw or Techsavvy then...

 

Here are the ports blocked by COX, the Atlanta based provider in the USA, which is the third biggest cable internet provider.

 

 

25TCPSMTPBoth
 
Note: SMTP is only permitted outbound to Cox-provided SMTP servers.
SMTP Relays
80TCPHTTPInboundWeb servers, worms
135UDPNetBiosBothNet Send Spam / Pop-ups, Worms
136-139UDP, TCPNetBiosBothWorms, Network Neighborhood
143TCPIMAPInboundWithout Transport Layer Security (TLS) enabled, customers are more susceptible to having their passwords compromised
445TCPMS-DS/ NetBiosBothWorms, Network Neighborhood
1433TCPMS-SQLInboundWorms, Trojans
1434UDPMS-SQLInboundWorms, SQLslammer
1900UDPMS-DS / NetBiosBothWorms, Network Neighborhood
0 Likes
Reply

You bought up other ISPs . Not me.

 

 

No one is talking about SMTP mail servers or COX USA.  Almost Half of the ports listed are Microsoft issues from Windows 98/2000/IIS issues. 

 

0 Likes
Reply

You were talking about "only in Canada and only Telus" block port 80 when I said other ISP's do it, so I merely pointed out a major ISP in the USA that did it.

0 Likes
Reply

Firstly, no commercial server would ever be provided without a static address, which isn't available under a residential plan. No one who is advocating that port 80 or port 21 should not be blocked is saying that a residential plan should provide static addresses.

 

Secondly, if what you say is true, then why is port 443 not also blocked? If port 443 is not blocked, then port 80 should not be blocked for the same reason.

 

Finally, most companies at least to a degree listen to their customers. Unblocking port 80 isn't going to cost Telus money. If anything, it would cost hosting companies. Unblocking 80 would make the residential service more convenient for the customers.

Reply

Okay, ask them why port 443 is not blocked while port 80 is.

 

Although I did say they ran their system well, I would not say "listening to customers" is Telus' strong point.  In fact, that is something they particularly suck at.

0 Likes
Reply

Again, if port 443 is open, why is port 80 closed?!?!?!? If there is a reason to open 443, the same reasons apply to 80.

Reply
Ambassador

Home automation and cameras work fine, if you configure them correctly, The manufacturers know about this port situation and it is generally taken care of.  If you want to do commercial grade things, like web servers or FTP etc, get a commercial connection.

 

Particularly when you get into the higher speed categories, you are not now, nor are you likely to ever see these ports open on a home user connection.

 

 

 

 

Reply
Connector

 I agree with OP

 

 

Home servers are very very common.  Almost every home has some sort of port 80 based server, embedded or on some mobile application.  The Windows 2000 IIS bug was almost 20 years ago.  

 

 

 

0 Likes
Reply
Neighbour

This is a reason why I am not moving to Telus, even though I would like to.

 

I use Plex quite a bit and have a Plex server at home, so that I can watch my programs when away from home or out of the country.

 

I haven't been able to get it working with Telus in the past.  On Shaw the ports are open and it works just fine.

 

It is for things like this, not a commercial server or serving up torrents, that Telus should have some ports opened up.

0 Likes
Reply
Connector


@hmakale wrote:

This shows no benefit for security

Actually there is a benefit for security.  Plenty of consumer-oriented devices have internal web servers used for configuration, and a large proportion of internet users don't know how security works and accidentally leave them unsecured and exposed to the internet.  This is a great way to get hacked.  We see this semi-frequently on VoIP forums when people put their VoIP hardware in DMZ and suddenly their phone bill is sky high because someone is routing calls to Qatar through their VoIP service.

 

It mildly sucks for people like you and me who know what we are doing and just want to run a web server for a hobby site, but I would rather pay a few bucks a month to a web hosting service than see thousands of users who don't know what they're doing unprotected.

Reply
Friendly Neighbour

So.. I could understand wanting certain ports (25, really) protected to prevent the technologically illiterate from becoming spam bots. That being said, it's the way this is implemented that's the issue here. Telus could just as easily close all those ports through their garbage routers they make customers use, and offer an option in the 'advanced' section of the config page to open them up to meet the user's needs. I am well aware I could use a VPN or non-standard ports, or port forwarding, because I do all of those things. But if I, for example, wanted to give a less technologically able friend a link to my personal http or ftp server, they would have to enter a nonstandard port number along with the url; since adding ports to URLs is not a normal thing for those who don't do work in IT, this could cause confusion. There should be some way, other than throwing money at the problem, to open some or all of the ports, even if it involved a call to Telus or something similar; then they could ensure the customer understands the risks of what they're doing to free Telus from any liability. My point is, for the very few cases where this might be beneficial, Telus could've achieved the exact same effect without also turning it into a cash grab.

 

@mbp - the only document available online which mentions this is from 2006, when port blocking was still semi-acceptable. As for Shaw suspending those accounts, were they the source of the congestion? What type of server was it? If they were running, for example, a torrent server, of course their account would be suspended. In these days of IOT, I find it highly unlikely that an ISP would suspend an account solely because a machine on the network accepts incoming connections.

 

@Kolby_G - I'm assuming you got that list from the document I mentioned above. From outside your LAN, run nmap on your router and scan all ports from 1-10000, by default the scans only run on common ports. Turns out Telus also blocks several nonstandard ports, 8080 and 8081 come to mind.

To take the testing a step further, put a machine in DMZ and run the scan again. All the filtered ports from the router scan come up filtered on the second scan. Also, I know lots of people who use IRC. 

0 Likes
Reply


@hmakale wrote:

So.. I could understand wanting certain ports (25, really) protected to prevent the technologically illiterate from becoming spam bots. That being said, it's the way this is implemented that's the issue here. Telus could just as easily close all those ports through their garbage routers they make customers use, and offer an option in the 'advanced' section of the config page to open them up to meet the user's needs. I am well aware I could use a VPN or non-standard ports, or port forwarding, because I do all of those things. But if I, for example, wanted to give a less technologically able friend a link to my personal http or ftp server, they would have to enter a nonstandard port number along with the url; since adding ports to URLs is not a normal thing for those who don't do work in IT, this could cause confusion. There should be some way, other than throwing money at the problem, to open some or all of the ports, even if it involved a call to Telus or something similar; then they could ensure the customer understands the risks of what they're doing to free Telus from any liability. My point is, for the very few cases where this might be beneficial, Telus could've achieved the exact same effect without also turning it into a cash grab.

 

@mbp - the only document available online which mentions this is from 2006, when port blocking was still semi-acceptable. As for Shaw suspending those accounts, were they the source of the congestion? What type of server was it? If they were running, for example, a torrent server, of course their account would be suspended. In these days of IOT, I find it highly unlikely that an ISP would suspend an account solely because a machine on the network accepts incoming connections.

 

@Kolby_G - I'm assuming you got that list from the document I mentioned above. From outside your LAN, run nmap on your router and scan all ports from 1-10000, by default the scans only run on common ports. Turns out Telus also blocks several nonstandard ports, 8080 and 8081 come to mind.

To take the testing a step further, put a machine in DMZ and run the scan again. All the filtered ports from the router scan come up filtered on the second scan. Also, I know lots of people who use IRC. 


On your first point, I agree. I think a quick phone call to Telus, perhaps clicking "I agree" on something to indicate that you assume all liability for misuse of the ports would be fine. This would be a great way for them to please those who want the ports without any issues from their legal dept.

 

Second point, I've never heard of shaw suspending accounts due to web/ftp server use other than when it was used for commercial purposes. Shaw was well aware that I was running a bunch of websites from my connection, they never mentioned anything about it. I also never noticed the torrent throttling that a lot of people had mentioned. Up until I left Shaw I had no issue getting my full speed up and down, and I averaged 2-5TB/month.

 

Third point, This must be something to do with the actiontec, as I am currently running services on 8080 (DVR1), 8081 (DVR2), 8180 (Router Web Admin), 8181 (Smart Meter Energy Monitor), 8122 (Router SSH), and 8888 (Web server (large file storage) with no issues. If you're on fiber, plug a computer directly to the alcatel (port 1) and turn off the windows firewall, run nmap on that and I bet you will get every port open except those in that doc. I'm curious as to what IRC is still used for...and why? Does it even support SSL?

0 Likes
Reply
Ambassador


@hmakale wrote:

So, this is directed at telus more than anything, but its customers should be aware of this...

There's been around a thread a month about this going back for a couple years. If you decided to run a web server, mail server, vpn, file storage, cctv system, home automation, or anything else that's in your home and accessible from outside, you'd drop all your money on the hardware, get home to set it up, and then find that it doesn't work because telus blocks all useful incoming ports.

There was a time when this would be an acceptable practice, but that was a long, long time ago. NO OTHER ISP - SHAW, BELL, EVEN THE SMALLER ONES - DOES THIS! It's telus' way of selling you a business package. If you want to set up a personal website or email or anything else, their response (I called about it today... again) is "we're not trained to change that, but if you want a business package", followed, essentially, by 'f*** you, you peasant, buy the **bleep** business package". This is unacceptable, enough already. This shows no benefit for security or privacy, and no benefit for telus, since someone running a commercial website would crash through their data limits almost instantly and get charged out the ass for it.

So Telus, please, just do the reasonable thing and stop blocking ports. Let your customers use the services they pay you for, before they start looking elsewhere. Between the service, the speed, the prices, the quality of the hardware we're forced to use, you guys cannot afford ANOTHER black spot on your reputation.


While I agree that the port blocking is pretty pointless, you do have a few things wrong. 

 

Here is a list of the ports that Telus blocks incoming traffic on:

TCP 21 (ftp)

TCP 25 (smtp)

TCP 80 (www)

TCP 110 (pop3)

TCP 6667 (ircd)

TCP/UDP 135-139 (dcom and netbios)

TCP/UDP 443 (ssl)

TCP/UDP 445 (ms-ds)

TCP/UDP 1433-1434 (ms-sql)

 

 

None of these ports are used by VPNs, you are free to use VPNs how you please. I personally run 5 IPSEC site to site links as well as a OpenVPN server and L2TP/IPSEC server for connecting while I am away. None of these protocols are blocked.

 

There are a few ports in here that are "general user" ports that IMO should not be blocked:

TCP 21 (ftp)

TCP 80 (www)

TCP/UDP 443 (ssl)

 

 

80 and 443 I really don't see a reason for being blocked anymore. Data limits are in place so running a web server shouldn't really be a problem that Telus needs to worry about. 21 (ftp) IMO should not be used anyways, but a lot of crappy consumer devices still use insecure FTP....

 

TCP 25 (smtp)

^This one should be blocked, a lot of people could easily get malware and be used as mail relays. Shaw and rogers block this one as well, not sure about bell.

 

TCP 110 (pop3)

This one shouldn't be used. Its 2017 now, use SSL.

 

TCP 6667 (ircd)

No one uses IRC anymore... it's not 1995. I don't see a reason for it being blocked, but I also don't really see a reason to complain about it.

 

TCP/UDP 135-139 (dcom and netbios)

TCP/UDP 445 (ms-ds)

TCP/UDP 1433-1434 (ms-sql)

These ports should never, under any circumstances be used without a VPN, doing so is just plain stupid.

 

For regular devices that like to run on port 80, you can just redirect them to a nonstandard port anyways.  Years ago before I setup my VPN servers, I had my CCTV server running on 8080, and various other devices forwarded to 8081, 8082, etc. 

0 Likes
Reply