Port blocking - we're being ripped off

Reply

This thread's discussion is locked. If it doesn't give you the information you need, head to its forum board for active discussions or to start a new discussion.

Highlighted
Friendly Neighbour

So, I've had to work around this problem for a couple years, and I could deal with it. But as I was configuring some things today, I just snapped. 

 

Why, TELUS, are you still blocking common (and even not-so-common) incoming ports?

In 2005 this might have been acceptable, but now, NO OTHER ISP DOES THIS! I get you need to make profits, but forcing power users or anyone running any service on their home network (including web/file servers, cctv, pretty much anything you connect to from outside) to buy a business package is tantamount to extortion. 

It's not like it's just 80 or 443 or 25 which I could maybe, under some special circumstances, understand, but: (with descriptions for the technologically impaired)

 

Nmap scan report for <my hostname> (<my IP address>)
Host is up (0.15s latency).
Not shown: 74 closed ports

PORT STATE SERVICE
9/tcp filtered discard
21/tcp filtered ftp //file server, NAS (Network Attached Storage, increasingly common)
25/tcp filtered smtp //mail server
26/tcp filtered rsftp //file server, NAS (There's a good chance you have one in your home, wouldn't
53/tcp filtered domain it be nice if you could access it from work?)
79/tcp filtered finger
80/tcp filtered http //web server, some cctv systems, about a million other things
110/tcp filtered pop3 //mail server
135/tcp filtered msrpc //not even used anymore, wtf?
139/tcp filtered netbios-ssn //windows homegroup sharing / samba server
389/tcp filtered ldap //authentication/data stores
444/tcp filtered snpp
445/tcp filtered microsoft-ds //windows homegroup sharing / samba server
1029/tcp filtered ms-lsa //windows authentication things
1433/tcp filtered ms-sql-s //windows databases
2001/tcp filtered dc
2049/tcp filtered nfs //nfs - NAS or other network file systems
2717/tcp filtered pn-requester
5009/tcp filtered airport-admin //Apple AirPort
5357/tcp filtered wsdapi //Windows - anything that accesses devices
8009/tcp filtered ajp13
8080/tcp filtered http-proxy //running a proxy, also used to forward around all the other rules
8081/tcp filtered blackice-icecap //web services, cctv/streaming cameras, among others
9100/tcp filtered jetdirect //network printing
49153/tcp filtered unknown
49155/tcp filtered unknown  //is there even anything that uses these? why block them?

Does it say filtered? Yeah, telus blocks it. I'm a student, I try to keep all my work in a centralized location, but now, in addition to working around my institution's firewall (which, in contrast, is very reasonable) I have to work around telus' port blocking to find the 3 or so ports that are left to use. And yeah, I get I could set up on other ports or port-forward, but I'm not a fan of having to remember 10 different port numbers just to get to my home server. This NEEDS to be changed, I'm far from the first person to bring this up (there's another thread about it a few entries down), and I'll be far from the last. You can't look me in the eye and say there's ANY good reason to keep doing this. Give your heads a shake.

Highlighted
Ambassador

Hi Telus,

I only want to host a web server for my photography as an amateur, do I need to buy the business package?

Sincerely,

SCo,

 

I understand this should be directed at Telus.  My rant as a Telus customer who switched from Shaw ;-(

Highlighted
Community Power User
Community Power User

For the flexibility and power to do what you want purchase a shared server and do as you wish.. You can get them for as little as $15/year. As for port blocking in the past was to protect users and the telus network. But on the flip side technology has evolved to protect their network without needing to block those ports. It would be nice to have some ports open up but for the average home user it's not needed. Port forwarding can eliminate most issues for basic setups.


Find a post useful, please click on "Like" to give the author recognition or mark as an accepted solution.
Highlighted
Connector

Is this why there is so much delay in online gaming? I think it is.

Highlighted
Community Power User
Community Power User
@benn1487 wrote:

Is this why there is so much delay in online gaming? I think it is.


The very limited number of ports that are blocked will have no impact on gaming. If a game used a port that was blocked you would not be able to send out any data on that port and it would not work period.


If you find a post useful, please give the author a "Like" or mark as an accepted solution if it solves your trouble. 🙂
Highlighted
Ambassador

Ok, I'll start by saying I agree, no ports should be blocked by the ISP. This is a crappy policy that really has no place nowadays. I will however, argue that for 99.99% of users, these ports SHOULD be blocked by the router, and give a nice big warning when you unblock them.

 

25 is the only port I can see them justify blocking, and AFAIK Shaw blocks this one too. Its SUPER easy for a infected computer to become a spam bot it this port is open. I think they should still unblock it upon request if they can verify that you know what you are doing, but I do see there reasoning here.

 

21,135,139,445,2049,9100,etc should NEVER be used across the internet without an encrypted tunnel. These are a HUGE security issue.

 

80,443,8080,8081 Ok, wtf, why are these blocked.... 80/443 I guess you could say that people *might* host for-profit webservers on a home plan? Maybe back when Telus didn't charge for excess data use this was acceptable, it seems pretty pointless now. 8080 and 8081 are nonstandard and have no use for business, I cant think of a good reason to block these.

 

Now, that being said, as much as the simplicity of forwarding 8080 to your security camera DVR is an easy way to access your cameras on the go. Its also an easy way for attackers to gain control of your likely very insecure DVR and use it in a botnet. If you need anything forwarded that you don't want the entire world to have full access to, you need security, a $200 DVR that runs a 6 year old version of Linux is not secure. Webservers, mailservers, stuff that actually needs to be public facing should be updated regularly. Fileservers that are public facing need to fully encrypt the connection. Anything else should be restricted to your local LAN, and you should setup a VPN for remote access. There is no good reason to use most of these ports, and opening them is just asking for issues. However, I don't think its the ISPs job to force people to not use them. I do think it is there job to warn them, and prevent ignorant people from opening their entire network to the internet. A simple call in at the most should be needed to remove these blocks.

Highlighted
Friendly Neighbour
@SCo They will tell you yes, but... Depends on how willing you are to use workarounds. You'll need to do 2 things: you have a dynamic IP address, which means if you point a domain name to it, there's no guarantee it'll stay valid because your IP can change, but in practice they can stay pretty constant provided your modem never goes down for more than an hour or so. Dyndns.com or noip.com have serices that help you work around it.
2: Web servers run on port 80. Since telus blocks you from running a server on port 80, you'll have to use another one which isn't blocked, this is done in your server configuration file. The only downfall is your domain becomes whatever.com:xxxx where xxxx is the port you use. If you can live with this, great, if not, get a business plan or go back to shaw or literally any other provider. Don't buy a business plan, that just gives them incentive to keep doing this bs
Highlighted
Friendly Neighbour
@Kolby G totally agree. Have them blocked in the router's firewall but editable. For people who don't have anything they need to access from the outside or don't know what they're doing, it keeps them safe-ish against botnets/hijacking. But if you know what you're doing, it should be fair game. I have a server in DMZ with about 10 different services (including ftp, ssh, ipp, http, and a few others, using nonstandard ports), many of which could be "risky" but this thing is locked down hard. I pentested it and there's no getting in. There's no danger here, just let me run my **bleep** server like every other ISP
Highlighted
Connector

There are lots of easy solutions to this problem.  For example, invent a port numbering scheme to help you remember your alternate port numbers.   So your favourite number is 4.  HTTP runs on port 480.  SSH runs on 422.  SIP on 45060 (although 5060 isn't blocked, not using it is good practice).  Etc, etc.

 

Alternately, use an SSH tunnel or VPN so that you're not exposing as many ports to the internet.  You also gain encryption which may be useful for non-encrypted protocols.

 

You can't look me in the eye and say there's ANY good reason to keep doing this.

 

1) Blocking these ports offers a small layer of security for people who don't know what they're doing.

 

2) This forces people who want to run home datacentres for profit to use a business-grade internet tier.

 

You belong to a third group: power users who know what they are doing, and run your own servers for convenience.  Unfortunately 1) and 2) are proportionately larger than 3).  I don't work for TELUS so this isn't an official answer, but I would be surprised if this policy changed any time soon.

Highlighted
Resident

There really are only two excuses for blocking those inbound ports - making more money, and reduction of Traffic. Whether that traffic is valid or not (ie spam, botnet traffic).

 

TELUS oversubscribes - promising *up to* a certain amount of bandwidth, while having so many subscribers on a segment that there's no way they can deliver near to the speeds advertised. It's a pity such practices, as well as charging overages for data, is legal. TELUS is operating more like a Bank, than a Utilities Provider.

The 'Security' Excuse is laughable. Switching to a Business account doesn't magically make the connection more secure. Whether it's business or home user - whatever the end user is making available to the internet is just as insecure. Any InfoSec guy can tell you this, especially in the last 10 years with backdoors being put in devices and software of all types courtesy of State Actors.

 

The best security for end users is decentralization of their data. Running services on their own devices, and storing data on their own devices. Many vendors are targeting that market.

However - if you're on TELUS - you're stuck with misguided policies with a focus on profit rather than service, with excuses that just don't fly any more.

 

 

Highlighted
Connector

@SCo wrote:

Hi Telus,

I only want to host a web server for my photography as an amateur, do I need to buy the business package?

Sincerely,

SCo,

 

I understand this should be directed at Telus.  My rant as a Telus customer who switched from Shaw ;-(


even with the business package its still blocked, you have to add the static ip addresses for extra money then they may open the ports 

Highlighted
TELUS Employee
TELUS Employee

port filtering has nothing to do with online games. 

 

Certain titles rely on UPNP which is enabled on TELUS modem/routers by default. 

 

As an avid gamer myself, I see no lag on my fiber. 

Are you sure it is a network issue and not a framedrop - that many interpret as lag. 

 

Are you connected through your wifi or ethernet?

Highlighted
Resident

@Kalhas

 

The only reason why you don't experience horrible ping is because you have fiber.

 

The other 99.9% of people who don't have fiber and plays games experiences bad ping almost all the time, just plain unacceptable. Also, about the port filtering, there is no reason why people can't just disable the port filtering. Yes, it can be dangerous; however, people won't touch it if they don't know what they're doing and are displayed with a warning message.

 

It's just Telus trying to save a few bucks.

Highlighted
Community Power User
Community Power User

The only reason why you don't experience horrible ping is because you have fiber.

The other 99.9% of people who don't have fiber and plays games experiences bad ping almost all the time, just plain unacceptable.

I'm not on fiber and my pings are quite good to the US servers I play on. 40ms in many cases. Each person may have a different experience depending on the game and the server they are using. Some are much faster than others.

 

Also, about the port filtering, there is no reason why people can't just disable the port filtering. ...

Port filtering / blocking is not done on the modem. It's on Telus' end on all residential accounts. Users cannot disable it.

 

Yes, it can be dangerous; however, people won't touch it if they don't know what they're doing and are displayed with a warning message.

People have a tendency to try new things without fully comprehending the entirety of what's involved, or how to properly secure their end. They can, and will touch it. As for a warning message, you'll need new technology or software for that. There are so many things that need warning messages, prior to accessing, that just don't have them. Social media is a perfect example. The vast majority of people don't read software user agreements and thus it's unlikely anyone will read a warning message.

 

It's just Telus trying to save a few bucks.


Doubt it's costing them or saving them any money.


If you find a post useful, please give the author a "Like" or mark as an accepted solution if it solves your trouble. 🙂