Port blocking... STILL?

Reply

This thread's discussion is locked. If it doesn't give you the information you need, head to its forum board for active discussions or to start a new discussion.

hmakale
Friendly Neighbour

So, this is directed at telus more than anything, but its customers should be aware of this...

There's been around a thread a month about this going back for a couple years. If you decided to run a web server, mail server, vpn, file storage, cctv system, home automation, or anything else that's in your home and accessible from outside, you'd drop all your money on the hardware, get home to set it up, and then find that it doesn't work because telus blocks all useful incoming ports.

There was a time when this would be an acceptable practice, but that was a long, long time ago. NO OTHER ISP - SHAW, BELL, EVEN THE SMALLER ONES - DOES THIS! It's telus' way of selling you a business package. If you want to set up a personal website or email or anything else, their response (I called about it today... again) is "we're not trained to change that, but if you want a business package", followed, essentially, by 'f*** you, you peasant, buy the **bleep** business package". This is unacceptable, enough already. This shows no benefit for security or privacy, and no benefit for telus, since someone running a commercial website would crash through their data limits almost instantly and get charged out the ass for it.

So Telus, please, just do the reasonable thing and stop blocking ports. Let your customers use the services they pay you for, before they start looking elsewhere. Between the service, the speed, the prices, the quality of the hardware we're forced to use, you guys cannot afford ANOTHER black spot on your reputation.

Highlighted
mbp
Advisor

The root of the problem is: If you don't learn about what you buy, before you buy it, that's not the fault of the companies you buy services from. 

 

Telus doesn't hide the fact that ports are blocked and they have been blocked for a VERY long time. The acceptable use policy still has easily located information about how many servers are still not permitted and the connection is not guaranteed to work with all devices or software. It's not hidden. Just takes 3 seconds on Google to find.

 

 

Also Shaw's AUP also forbids servers as well. (Under "Bandwidth, Data Storage and Other Limitation") Shaw's is even more strictly worded than Telus' is. I know two people that have had their Shaw connections suspended because they were on a congested node and they used more bandwidth than normal because of a small server that Shaw found. That more bandwidth was still well below the caps on their plan.

 

As for Bell, if you can get service from them in western Canada, go for it.

 

Kolby_G
Ambassador

@hmakale wrote:

So, this is directed at telus more than anything, but its customers should be aware of this...

There's been around a thread a month about this going back for a couple years. If you decided to run a web server, mail server, vpn, file storage, cctv system, home automation, or anything else that's in your home and accessible from outside, you'd drop all your money on the hardware, get home to set it up, and then find that it doesn't work because telus blocks all useful incoming ports.

There was a time when this would be an acceptable practice, but that was a long, long time ago. NO OTHER ISP - SHAW, BELL, EVEN THE SMALLER ONES - DOES THIS! It's telus' way of selling you a business package. If you want to set up a personal website or email or anything else, their response (I called about it today... again) is "we're not trained to change that, but if you want a business package", followed, essentially, by 'f*** you, you peasant, buy the **bleep** business package". This is unacceptable, enough already. This shows no benefit for security or privacy, and no benefit for telus, since someone running a commercial website would crash through their data limits almost instantly and get charged out the ass for it.

So Telus, please, just do the reasonable thing and stop blocking ports. Let your customers use the services they pay you for, before they start looking elsewhere. Between the service, the speed, the prices, the quality of the hardware we're forced to use, you guys cannot afford ANOTHER black spot on your reputation.


While I agree that the port blocking is pretty pointless, you do have a few things wrong. 

 

Here is a list of the ports that Telus blocks incoming traffic on:

TCP 21 (ftp)

TCP 25 (smtp)

TCP 80 (www)

TCP 110 (pop3)

TCP 6667 (ircd)

TCP/UDP 135-139 (dcom and netbios)

TCP/UDP 443 (ssl)

TCP/UDP 445 (ms-ds)

TCP/UDP 1433-1434 (ms-sql)

 

 

None of these ports are used by VPNs, you are free to use VPNs how you please. I personally run 5 IPSEC site to site links as well as a OpenVPN server and L2TP/IPSEC server for connecting while I am away. None of these protocols are blocked.

 

There are a few ports in here that are "general user" ports that IMO should not be blocked:

TCP 21 (ftp)

TCP 80 (www)

TCP/UDP 443 (ssl)

 

 

80 and 443 I really don't see a reason for being blocked anymore. Data limits are in place so running a web server shouldn't really be a problem that Telus needs to worry about. 21 (ftp) IMO should not be used anyways, but a lot of crappy consumer devices still use insecure FTP....

 

TCP 25 (smtp)

^This one should be blocked, a lot of people could easily get malware and be used as mail relays. Shaw and rogers block this one as well, not sure about bell.

 

TCP 110 (pop3)

This one shouldn't be used. Its 2017 now, use SSL.

 

TCP 6667 (ircd)

No one uses IRC anymore... it's not 1995. I don't see a reason for it being blocked, but I also don't really see a reason to complain about it.

 

TCP/UDP 135-139 (dcom and netbios)

TCP/UDP 445 (ms-ds)

TCP/UDP 1433-1434 (ms-sql)

These ports should never, under any circumstances be used without a VPN, doing so is just plain stupid.

 

For regular devices that like to run on port 80, you can just redirect them to a nonstandard port anyways.  Years ago before I setup my VPN servers, I had my CCTV server running on 8080, and various other devices forwarded to 8081, 8082, etc. 

Community Power User
Community Power User

Port 6667 was in use by some botnets for a while there. Not sure if it still is.


If you find a post useful, please give the author a "Like" or mark as an accepted solution if it solves your trouble. Smiley Happy
Kolby_G
Ambassador
Most botnets I've seen recently randomize the port because UPNP is enabled on almost every consumer router. I really wish UPNP wasn't a thing....

You could be right though, I just haven't seen that recently.
Mango
Connector

@hmakale wrote:

This shows no benefit for security

Actually there is a benefit for security.  Plenty of consumer-oriented devices have internal web servers used for configuration, and a large proportion of internet users don't know how security works and accidentally leave them unsecured and exposed to the internet.  This is a great way to get hacked.  We see this semi-frequently on VoIP forums when people put their VoIP hardware in DMZ and suddenly their phone bill is sky high because someone is routing calls to Qatar through their VoIP service.

 

It mildly sucks for people like you and me who know what we are doing and just want to run a web server for a hobby site, but I would rather pay a few bucks a month to a web hosting service than see thousands of users who don't know what they're doing unprotected.

hmakale
Friendly Neighbour

So.. I could understand wanting certain ports (25, really) protected to prevent the technologically illiterate from becoming spam bots. That being said, it's the way this is implemented that's the issue here. Telus could just as easily close all those ports through their garbage routers they make customers use, and offer an option in the 'advanced' section of the config page to open them up to meet the user's needs. I am well aware I could use a VPN or non-standard ports, or port forwarding, because I do all of those things. But if I, for example, wanted to give a less technologically able friend a link to my personal http or ftp server, they would have to enter a nonstandard port number along with the url; since adding ports to URLs is not a normal thing for those who don't do work in IT, this could cause confusion. There should be some way, other than throwing money at the problem, to open some or all of the ports, even if it involved a call to Telus or something similar; then they could ensure the customer understands the risks of what they're doing to free Telus from any liability. My point is, for the very few cases where this might be beneficial, Telus could've achieved the exact same effect without also turning it into a cash grab.

 

@mbp - the only document available online which mentions this is from 2006, when port blocking was still semi-acceptable. As for Shaw suspending those accounts, were they the source of the congestion? What type of server was it? If they were running, for example, a torrent server, of course their account would be suspended. In these days of IOT, I find it highly unlikely that an ISP would suspend an account solely because a machine on the network accepts incoming connections.

 

@Kolby_G - I'm assuming you got that list from the document I mentioned above. From outside your LAN, run nmap on your router and scan all ports from 1-10000, by default the scans only run on common ports. Turns out Telus also blocks several nonstandard ports, 8080 and 8081 come to mind.

To take the testing a step further, put a machine in DMZ and run the scan again. All the filtered ports from the router scan come up filtered on the second scan. Also, I know lots of people who use IRC. 

Kolby_G
Ambassador

@hmakale wrote:

So.. I could understand wanting certain ports (25, really) protected to prevent the technologically illiterate from becoming spam bots. That being said, it's the way this is implemented that's the issue here. Telus could just as easily close all those ports through their garbage routers they make customers use, and offer an option in the 'advanced' section of the config page to open them up to meet the user's needs. I am well aware I could use a VPN or non-standard ports, or port forwarding, because I do all of those things. But if I, for example, wanted to give a less technologically able friend a link to my personal http or ftp server, they would have to enter a nonstandard port number along with the url; since adding ports to URLs is not a normal thing for those who don't do work in IT, this could cause confusion. There should be some way, other than throwing money at the problem, to open some or all of the ports, even if it involved a call to Telus or something similar; then they could ensure the customer understands the risks of what they're doing to free Telus from any liability. My point is, for the very few cases where this might be beneficial, Telus could've achieved the exact same effect without also turning it into a cash grab.

 

@mbp - the only document available online which mentions this is from 2006, when port blocking was still semi-acceptable. As for Shaw suspending those accounts, were they the source of the congestion? What type of server was it? If they were running, for example, a torrent server, of course their account would be suspended. In these days of IOT, I find it highly unlikely that an ISP would suspend an account solely because a machine on the network accepts incoming connections.

 

@Kolby_G - I'm assuming you got that list from the document I mentioned above. From outside your LAN, run nmap on your router and scan all ports from 1-10000, by default the scans only run on common ports. Turns out Telus also blocks several nonstandard ports, 8080 and 8081 come to mind.

To take the testing a step further, put a machine in DMZ and run the scan again. All the filtered ports from the router scan come up filtered on the second scan. Also, I know lots of people who use IRC. 


On your first point, I agree. I think a quick phone call to Telus, perhaps clicking "I agree" on something to indicate that you assume all liability for misuse of the ports would be fine. This would be a great way for them to please those who want the ports without any issues from their legal dept.

 

Second point, I've never heard of shaw suspending accounts due to web/ftp server use other than when it was used for commercial purposes. Shaw was well aware that I was running a bunch of websites from my connection, they never mentioned anything about it. I also never noticed the torrent throttling that a lot of people had mentioned. Up until I left Shaw I had no issue getting my full speed up and down, and I averaged 2-5TB/month.

 

Third point, This must be something to do with the actiontec, as I am currently running services on 8080 (DVR1), 8081 (DVR2), 8180 (Router Web Admin), 8181 (Smart Meter Energy Monitor), 8122 (Router SSH), and 8888 (Web server (large file storage) with no issues. If you're on fiber, plug a computer directly to the alcatel (port 1) and turn off the windows firewall, run nmap on that and I bet you will get every port open except those in that doc. I'm curious as to what IRC is still used for...and why? Does it even support SSL?

MediumDaddy
Neighbour

This is a reason why I am not moving to Telus, even though I would like to.

 

I use Plex quite a bit and have a Plex server at home, so that I can watch my programs when away from home or out of the country.

 

I haven't been able to get it working with Telus in the past.  On Shaw the ports are open and it works just fine.

 

It is for things like this, not a commercial server or serving up torrents, that Telus should have some ports opened up.

CalgaryNetwork
Connector

almost all of those ports listed OpenVPN runs on 

 

 


@Kolby_G wrote:

Here is a list of the ports that Telus blocks incoming traffic on:

TCP 21 (ftp)

TCP 25 (smtp)

TCP 80 (www)

TCP 110 (pop3)

TCP 6667 (ircd)

TCP/UDP 135-139 (dcom and netbios)

TCP/UDP 443 (ssl)

TCP/UDP 445 (ms-ds)

TCP/UDP 1433-1434 (ms-sql)

 

 

None of these ports are used by VPNs, you are free to use VPNs how you please. I personally run 5 IPSEC site to site links as well as a OpenVPN server and L2TP/IPSEC server for connecting while I am away. None of these protocols are blocked.

 

 

 

 

 

CalgaryNetwork
Connector

 I agree with OP

 

 

Home servers are very very common.  Almost every home has some sort of port 80 based server, embedded or on some mobile application.  The Windows 2000 IIS bug was almost 20 years ago.  

 

 

 

Kolby_G
Ambassador

@CalgaryNetwork wrote:

almost all of those ports listed OpenVPN runs on 

 

 


@Kolby_G wrote:

Here is a list of the ports that Telus blocks incoming traffic on:

TCP 21 (ftp)

TCP 25 (smtp)

TCP 80 (www)

TCP 110 (pop3)

TCP 6667 (ircd)

TCP/UDP 135-139 (dcom and netbios)

TCP/UDP 443 (ssl)

TCP/UDP 445 (ms-ds)

TCP/UDP 1433-1434 (ms-sql)

 

 

None of these ports are used by VPNs, you are free to use VPNs how you please. I personally run 5 IPSEC site to site links as well as a OpenVPN server and L2TP/IPSEC server for connecting while I am away. None of these protocols are blocked.

 

 

 

 

 


OpenVPN runs on port 1194. Just like every service you *can* make it run on any port you wish, but 1194 is standard. The only VPN that has it's default port blocked is SSTP (443). 

hlouie
Resident

Currently, I have a consumer based home internet line (not a business line) and my Plex is working.  I went into the Telus Router -> Firewall -> Port Forwarding, entered a FIXED IP address of Plex with the port address.  Now the key is waiting about 12 hours before trying to Plex.  I've tested the open with http://www.whatsmyip.org/port-scanner/

 

Telus router T3200M

Firewall -> Firewall -> NAT Only or Low or Medium or High

Firewall -> DMZ Hosting -> Disable

 

 

Plex 01.PNG

AndyMac
Resident

Hi there,

 

I have had the same problem, and managed to fix it.  I tried using a different external port (ie. not 32400).  Note that the internal port does not change.

 

Here are my router and Plex settings:

Untitled.pngUntitled2.png 

 

I hope this helps!

CalgaryNetwork
Connector

it almost 2019 TELUS needs to open port 80 !! 

BillTelusCust
Ambassador

Home automation and cameras work fine, if you configure them correctly, The manufacturers know about this port situation and it is generally taken care of.  If you want to do commercial grade things, like web servers or FTP etc, get a commercial connection.

 

Particularly when you get into the higher speed categories, you are not now, nor are you likely to ever see these ports open on a home user connection.

 

 

 

 

rc
Ambassador

@CalgaryNetwork wrote:

it almost 2019 TELUS needs to open port 80 !! 


I don't think there has been anything that  occurred in the last few years that would cause Telus to change their policy.

 

i would expect that one of the reason they blocked port 980 was the issues hacked webservers caused on the network.  This has not changed over time.

 

Telus made a business decision that the problems / costs associated with inexperienced people running servers on the network was not worth the it.

 

There are post on this forum complaining about  telus.net getting blacklisted because it was identified as a source of email spam.

moonny
Resident

AFAIK, port 443 is not blocked anymore (80 is still blocked though), at least it is not for a friend of mine on Telus fiber 150/150.

 

Plex will run on any port.

OpenVPN will run on any port.

 

If you really need a webserver, get Cloudflare (it is free), and it will proxy traffic to 443, or some other ports that are open for sure on Telus https://support.cloudflare.com/hc/en-us/articles/200169156-Which-ports-will-Cloudflare-work-with-

 

If you get your domain from Namecheap, they will forward :80 to :443 for you.

 

You can user Let's Encrypt to get free SSL certs as well for your webserver if you are running on 443.

 

I mean, come on people, Exactly, it is 2019, so there are crap load of options out there to make it work. Stop complaining.

 

 

JTL
Advocate

The reasons why they (Telus) blocked ports back in circa 2004 are irrelevant now. Almost everyone has a NAT/firewalled router by default now. If people are sending out spam or whatever, just cut em off.

Community Power User
Community Power User

I believe the blocking came about previously for a couple possible reasons. One was that the terms of service used to forbid the running of servers of any kind on home internet packages. The provision is still there in the terms of service.

 

13. You are not permitted to operate an e-mail, web, news or other similar server through a Services account, except where such use is expressly permitted under your service plan

A couple of the ports I know were blocked because they were being actively exploited by some viruses and botnets. Most of those viruses are more or less extinct in the wild now. Port (6667) still is used in some botnets, though blocking that port won't affect the extreme majority of users as IRC is not commonly used anymore, and I doubt anyone is hosting an IRC server from home these days.

 

As for spam, unless they're using Telus' email servers, Telus will have no idea if the user is spamming unless some third party complains and has enough proof.


If you find a post useful, please give the author a "Like" or mark as an accepted solution if it solves your trouble. Smiley Happy