FAQ # 10778 Blocked Ports in Comcast HSI

FAQ # 10778 Blocked Ports in Comcast HSI http://www.dslreports.com/forum/r15481407 en Sun, 29 Nov 2009 02:38:55 EDT Sun, 29 Nov 2009 02:38:55 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15848890 NormanS :

said by joncrane

:

OK, I don't have any alternative ways to connect to the internet. I don't have any way of "seeing" from the outside without looking out through the same window first.

In that case, you will need a cooperative friend who understands how to do this. He need not be on Comcast, he just needs to understand, and have the tools, to initiate a port scan against your connection.

Addendum:

If you have a router which can email logs on a triggered event, you could even do it from a friend's connection without being present at your own computer.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum]]> http://www.dslreports.com/forum/remark,15848890 Fri, 07 Apr 2006 13:22:48 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15848864 joncrane : OK, I don't have any alternative ways to connect to the internet. I don't have any way of "seeing" from the outside without looking out through the same window first.]]> http://www.dslreports.com/forum/remark,15848864 Fri, 07 Apr 2006 13:17:21 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15848741 NormanS :

said by joncrane

:

well, tell me what to do!

I'm fairly savvy; have at least one functioning Ubuntu Box as well as am XP Home box....many more on the way.

One method would be to have another ISP. Even a dial-up service would work for testing your Comcast connection from the outside.

You need to run 'route add' (from a 'CMD' prompt) to create a route through the dial-up connection to your Comcast IP address. At the command prompt type:

route add [Comcast_IP_Address] mask 255.255.255.255 [Dial-up_Gateway_IP_Address]

As an example, I would use:

route add 68.127.136.215 mask 255.255.255.255 192.168.102.2

That will route all packets destined for my at&t Yahoo! HSI IP address through a secondary router on my LAN; one which has a dial-up modem attached. Because at&t Yahoo! HSI allows me to maintain, simultaneously, one DSL connection and one dial-up connection, I can probe my DSL connecting from my dial-up connection using this technique.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum]]> http://www.dslreports.com/forum/remark,15848741 Fri, 07 Apr 2006 13:02:20 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15846876 Johkal : From this FAQ »Comcast High Speed Internet FAQ »What ports does Comcast block?, we are trying to validate these blocked ports & any others that may be. I have no way of testing since Comcast is not my ISP. You choose the methods. If you need any advice, there are members in this thread who are more knowledgeable the I.

Thanks!
--
Write me up for 125.......I Can't Drive 55 »redrocker.com/ »cabowabo.com/]]> http://www.dslreports.com/forum/remark,15846876 Fri, 07 Apr 2006 07:07:55 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15845371 joncrane : well, tell me what to do!

I'm fairly savvy; have at least one functioning Ubuntu Box as well as am XP Home box....many more on the way.]]> http://www.dslreports.com/forum/remark,15845371 Thu, 06 Apr 2006 22:50:17 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15844783 Johkal : If you are willing, all help is always appreciated. :)]]> http://www.dslreports.com/forum/remark,15844783 Thu, 06 Apr 2006 21:26:25 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15843925 joncrane : I'd be willing to try to do some testing.

I just got hooked up today.

Also looks like this topic is dead.]]> http://www.dslreports.com/forum/remark,15843925 Thu, 06 Apr 2006 19:29:57 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15515961 NormanS : You might say. I was just wondering...why?]]> http://www.dslreports.com/forum/remark,15515961 Mon, 20 Feb 2006 00:06:45 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15513677 Nerdtalker :

said by NormanS

:

¿Que? Warum? Naze?

Um... :hmm:

You know that by "live person" I meant someone manually scanning with nmap or a comparable port scanner, right? Is that what you're referring to?
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn

I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 12900+ messages currently using 406 MB.]]> http://www.dslreports.com/forum/remark,15513677 Sun, 19 Feb 2006 18:21:35 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15513554 NormanS : ¿Que? Warum? Naze?]]> http://www.dslreports.com/forum/remark,15513554 Sun, 19 Feb 2006 18:01:36 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15512784 Nerdtalker :

said by NormanS

:

Whether a port is open locally, or closed locally, if it is blocked at the ISP routers, it will appear to be "stealth" from an external connection; barring that the external probe is on the same ISP subnet.

Yes. ;) I do think, however, that if we start doing this we should mandate using something other than GRC shields-up for scanning, rather, a live person.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn

I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 12900+ messages currently using 406 MB.]]> http://www.dslreports.com/forum/remark,15512784 Sun, 19 Feb 2006 15:43:49 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15512744 NormanS :

said by Nerdtalker

:

You read my post entirely out of context.

It appears so. But you don't need to know what ports are open locally, behind the router, to see which ports are blocked by the ISP. Whether a port is open locally, or closed locally, if it is blocked at the ISP routers, it will appear to be "stealth" from an external connection; barring that the external probe is on the same ISP subnet.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum]]> http://www.dslreports.com/forum/remark,15512744 Sun, 19 Feb 2006 15:35:07 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15512319 Nerdtalker :

said by NormanS

:

Well, yes, and no. I can run 'netstat' on my computer, and see what ports are listening for connections. I can call a remote ports scan down on that same computer, and see no open ports from the Internet. You can only be certain of what ports are open to the Internet by running a port scan from the Internet.

Yeah, I know, that's what I'm saying.

If I run a portscan on the target machine from my remote computer and see the ports I'm interested in as stealth, the only way to know whether that's because the ISP is blocking them, or they weren't open in the first place is to have someone make sure that they were open on the target by running netstat -an.

You read my post entirely out of context.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn

I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 12900+ messages currently using 406 MB.]]> http://www.dslreports.com/forum/remark,15512319 Sun, 19 Feb 2006 14:15:41 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15510089 NormanS :

said by jbob

:

Hmmm Looks like I do have that capability in my router. To trust an IP that is. I've been PMing with Nerdtalker discussing how it needs to be setup. I might have to be running a *nix distro for any real conclusions. I'm not so geeky enough that I am sure of all what needs to be done so I'd gladly take some suggestions.

The other issue is how do we know the difference between blocked incoming or outgoing ports? Probing me will only show inbound blocked ports correct? How do we determine outbound blocked ports?

When I checked the inbound ports that SBC was blocking, I set one computer (the one from which I would request the port scan) in the DMZ. I didn't mess with an SPI filter because it was easier for me to create a transient rule in Kerio Personal Firewall 2.1.5.

GRC ShieldsUp! probes, per their site, come from an IP address in the range 4.79.142.192/28 (using CIDR notation). By my router logs, 4.79.142.206. So my plan would be: set the computer, 192.168.102.100 in the DMZ. Set a rule in KPF to allow unsolicited packets to any port from 4.79.142.206; and, if desired, log them. The GRC site will show, as in your screen shot, which ports react as 'open' (local services running), which port react as 'closed' (no local services running), and which ports react as 'stealth' (unable to tell if the computer is reacting).

For outbound testing, you will need the cooperation of a third party, willing to treat a connection from you as you are treating the connection from GRC. And you will need to run a port scanner from your computer against their computer.

Or, if you can manage the network configuration, and you have dial-up access to the Internet, as well as cable access, you could scan your own ports. Here is an excerpt from Kiwi Syslog Daemon, showing incoming scans to my DSL connection; recorded by a Netgear FR114P router:

2006-02-18 22:44:25Local7.Warning192.168.102.12006 Feb 18 22:44:05 (FR114P-2c-f2-3a)
  192.168.1.64 TCP packet - Source:4.246.6.16,64443 ,WAN
                          - Destination:192.168.1.64,515 ,LAN [Drop] - [Inbound Default rule match]
2006-02-18 22:44:26Local7.Warning192.168.102.12006 Feb 18 22:44:06 (FR114P-2c-f2-3a)
  192.168.1.64 TCP packet - Source:4.246.6.16,64445 ,WAN
                          - Destination:192.168.1.64,516 ,LAN [Drop] - [Inbound Default rule match]
2006-02-18 22:44:26Local7.Warning192.168.102.12006 Feb 18 22:44:06 (FR114P-2c-f2-3a)
  192.168.1.64 TCP packet - Source:4.246.6.16,64447 ,WAN
                          - Destination:192.168.1.64,517 ,LAN [Drop] - [Inbound Default rule match]
2006-02-18 22:44:26Local7.Warning192.168.102.12006 Feb 18 22:44:06 (FR114P-2c-f2-3a)
  192.168.1.64 TCP packet - Source:4.246.6.16,64449 ,WAN
                          - Destination:192.168.1.64,518 ,LAN [Drop] - [Inbound Default rule match]
2006-02-18 22:44:26Local7.Warning192.168.102.12006 Feb 18 22:44:07 (FR114P-2c-f2-3a)
  192.168.1.64 TCP packet - Source:4.246.6.16,64451 ,WAN
                          - Destination:192.168.1.64,519 ,LAN [Drop] - [Inbound Default rule match]
2006-02-18 22:44:27Local7.Warning192.168.102.12006 Feb 18 22:44:07 (FR114P-2c-f2-3a)
  192.168.1.64 TCP packet - Source:4.246.6.16,64453 ,WAN
                          - Destination:192.168.1.64,520 ,LAN [Drop] - [Inbound Default rule match]
2006-02-18 22:44:27Local7.Warning192.168.102.12006 Feb 18 22:44:07 (FR114P-2c-f2-3a)
  192.168.1.64 TCP packet - Source:4.246.6.16,64455 ,WAN
                          - Destination:192.168.1.64,521 ,LAN [Drop] - [Inbound Default rule match]
2006-02-18 22:44:27Local7.Warning192.168.102.12006 Feb 18 22:44:08 (FR114P-2c-f2-3a)
  192.168.1.64 TCP packet - Source:4.246.6.16,64457 ,WAN
                          - Destination:192.168.1.64,522 ,LAN [Drop] - [Inbound Default rule match]
2006-02-18 22:44:28Local7.Warning192.168.102.12006 Feb 18 22:44:08 (FR114P-2c-f2-3a)
  192.168.1.64 TCP packet - Source:4.246.6.16,64459 ,WAN
                          - Destination:192.168.1.64,523 ,LAN [Drop] - [Inbound Default rule match]
2006-02-18 22:44:28Local7.Warning192.168.102.12006 Feb 18 22:44:08 (FR114P-2c-f2-3a)
  192.168.1.64 TCP packet - Source:4.246.6.16,64461 ,WAN
                          - Destination:192.168.1.64,524 ,LAN [Drop] - [Inbound Default rule match]
2006-02-18 22:44:28Local7.Warning192.168.102.12006 Feb 18 22:44:09 (FR114P-2c-f2-3a)
  192.168.1.64 TCP packet - Source:4.246.6.16,64463 ,WAN
                          - Destination:192.168.1.64,525 ,LAN [Drop] - [Inbound Default rule match]

This would demonstrate that the listed destination ports are not blocked on the outbound by Level 3, the connection provider (it is a leased POP, as in "Point Of Presence", and I used my SBC account log in to connect; I kind of regret not changing the telephone number to one which would have gotten me an SBC IP address!)

To pull this off I first needed to create a route through the dial-up connection to the DSL connection on the console computer:

C:\WINDOWS>route add 71.132.19.202 mask 255.255.255.255 192.168.102.2
 
C:\WINDOWS>route print > F:\Commun~1\route.txt
 
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...44 45 53 54 00 00 ...... PPP Adapter.
0x3 ...00 50 77 01 11 ab ...... usb-usb network bridge adapter
0x4 ...44 45 53 54 00 01 ...... PPP Adapter.
0x5 ...00 10 b5 77 e6 46 ...... HP EN1207D-TX 10/100 Family Adapter
 
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.102.1  192.168.102.100  1
    71.132.19.202  255.255.255.255    192.168.102.2  192.168.102.100  1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1  1
       172.29.0.0      255.255.0.0      172.29.61.1     172.29.61.1  1
      172.29.61.1  255.255.255.255        127.0.0.1       127.0.0.1  1
   172.29.255.255  255.255.255.255      172.29.61.1     172.29.61.1  1
    192.168.102.0    255.255.255.0  192.168.102.100  192.168.102.100  1
  192.168.102.100  255.255.255.255        127.0.0.1       127.0.0.1  1
  192.168.102.255  255.255.255.255  192.168.102.100  192.168.102.100  1
        224.0.0.0        224.0.0.0      172.29.61.1     172.29.61.1  1
        224.0.0.0        224.0.0.0  192.168.102.100  192.168.102.100  1
  255.255.255.255  255.255.255.255  192.168.102.100               2  1
Default Gateway:     192.168.102.1
===========================================================================
Persistent Routes:
  None

For the "route add" command, the first IP address is the DSL connection. The subnet mask limits the route to the single IP address. The final IP address is the gateway used to reach the Internet. From the routing table, you should see that there are, now, two gateways to the Internet:

• 192.168.102.1, which is the Netgear with the DSL connection to SBC.
• 192.168.102.2, which is an SMC 7004BR with the dial-up connection to Level 3.

The screen shot should tell the rest of the story. Basically, I have created a network on my local computer which sees the Internet from two different perspectives, and allows me to probe ports. I could have probed the Level 3 connection ports from the SBC DSL connection. Keep in mind that the source ports on the probed computer are the unblocked ports. IOW, to see if the DSL connection ports are blocked outbound, I would just have to probe '4.246.6.16' from the DSL connection. Depending upon how you make the connections to the Internet, you may need to use "route add", or not.

The screen shot is compose of the Netgear FR114P connection status page, and a port scanner, NetBrute, superimposed on an SMC Barricade 7004BR connection status page.

Addenda:

I just realized that the Netgear status screen is somwhat misleading. So I added a second screen shot showing some information about the DSL modem. What I have is actually a "cascaded NAT" configuration. My Netgear router is configured as if I had a cable connection, and the SpeedStream 4100 supplies a private IP address. This is more complicated than a cable connection, but it works. (I could, optionally, configure it to assign the public IP address. That would more closely emulate a cable connection.)

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Showing two simultaneous Internet connections.
Showing the SS4100 DSL modem with the public IP address.

]]> http://www.dslreports.com/forum/remark,15510089 Sun, 19 Feb 2006 02:16:13 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15509769 Combat Chuck :

said by jbob

:

As I mentioned to johkal with all the Comcast Comm Techs we have on here I don't know why we can't get a simple answer from them. :p Not that they would know but perhaps they could contact the network engineers and find out for sure.

Well that's because there's no such thing as a simple answer for a large company. Everything has to be run past lawyers and such to be evaluated for unintended consequences. So instead they keep it a secret from their front-line employees (who get to feel stupid if someone asks).
--
Asking those who disagree with you to find support of your arguements is like asking an assailant if you can borrow his gun.]]> http://www.dslreports.com/forum/remark,15509769 Sun, 19 Feb 2006 01:01:30 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15509370 jbob : Hmmm Looks like I do have that capability in my router. To trust an IP that is. I've been PMing with Nerdtalker discussing how it needs to be setup. I might have to be running a *nix distro for any real conclusions. I'm not so geeky enough that I am sure of all what needs to be done so I'd gladly take some suggestions.

The other issue is how do we know the difference between blocked incoming or outgoing ports? Probing me will only show inbound blocked ports correct? How do we determine outbound blocked ports?]]> http://www.dslreports.com/forum/remark,15509370 Sat, 18 Feb 2006 23:40:39 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15509369 NormanS :

said by Nerdtalker

:

It doesn't matter, really. Find a service that runs on one of those ports, and it'll be open. Just run "netstat -an" (without quotes of course) from a command prompt and you can see what ports are open, closed, e.t.c.

Well, yes, and no. I can run 'netstat' on my computer, and see what ports are listening for connections. I can call a remote ports scan down on that same computer, and see no open ports from the Internet. You can only be certain of what ports are open to the Internet by running a port scan from the Internet.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum]]> http://www.dslreports.com/forum/remark,15509369 Sat, 18 Feb 2006 23:40:35 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15509349 NormanS : The rest of the ports can be scanned, manually, 64 ports at a time.]]> http://www.dslreports.com/forum/remark,15509349 Sat, 18 Feb 2006 23:37:07 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15509346 NormanS : What you should do is not turn the firewall off completely; rather, temporarily "trust" the source IP address that is probing your computer. In that way, the test site will react as if the DMZ computer had no firewall, but, to the rest of the Internet, access to your computer is still blocked.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum]]> http://www.dslreports.com/forum/remark,15509346 Sat, 18 Feb 2006 23:36:21 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15508632 anon : Is Shields Up testing both TCP and UDP? NetFixer

made an excellent point back on page one.]]> http://www.dslreports.com/forum/remark,15508632 Sat, 18 Feb 2006 21:35:51 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15507976 jbob : Check your PM. Ah what the heck. Here's my open IP as of now: 69.247.119.228. No firewall or NAT.
A quick check with Shields Up showed ports 113, 135-139 and 445 as stealth. All others below 1056 showed Closed.
I'll have it open from 7 to 8 pm CST]]> http://www.dslreports.com/forum/remark,15507976 Sat, 18 Feb 2006 19:42:07 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15507085 Nerdtalker :

said by jbob

:

One question I have is whether using WinXP Pro fully patched will allow for fully checking of open ports since MS has closed certain ones with patches for security reasons. Maybe using Win98SE would be a better OS to test with or would a *nix distro be a better choice.

Also asking if there are any other tests that will test more than the standard ones that Shields Up tests for automatically. Shields Up will test all the ones above 1056 but it has to be done manually and one at a time.

It doesn't matter, really. Find a service that runs on one of those ports, and it'll be open. Just run "netstat -an" (without quotes of course) from a command prompt and you can see what ports are open, closed, e.t.c.

As for finding a good service to test the ports, just throw your public IP up here and I'm sure someone (myself included) will gladly portscan you and post back with the results. :D
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn

I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 12900+ messages currently using 406 MB.]]> http://www.dslreports.com/forum/remark,15507085 Sat, 18 Feb 2006 17:03:34 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15507057 dpierce : You could get a friend to use nmap to do a full scan on your system once it is in a dmz.. »www.insecure.org/nmap/]]> http://www.dslreports.com/forum/remark,15507057 Sat, 18 Feb 2006 16:55:52 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15507040 jbob :

said by Nerdtalker

:

The thing is, it's unclear whether the ports are blocked only in a certain direction, or both. That's why certain test methods are ineffective.

That is a question I have as well. I will setup a system fully open. I have them to spare so that's not an issue. lol
One question I have is whether using WinXP Pro fully patched will allow for fully checking of open ports since MS has closed certain ones with patches for security reasons. Maybe using Win98SE would be a better OS to test with or would a *nix distro be a better choice.

Also asking if there are any other tests that will test more than the standard ones that Shields Up tests for automatically. Shields Up will test all the ones above 1056 but it has to be done manually and one at a time.

As I mentioned to johkal with all the Comcast Comm Techs we have on here I don't know why we can't get a simple answer from them. :p Not that they would know but perhaps they could contact the network engineers and find out for sure.]]> http://www.dslreports.com/forum/remark,15507040 Sat, 18 Feb 2006 16:52:00 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15506983 Nerdtalker : The thing is, it's unclear whether the ports are blocked only in a certain direction, or both. That's why certain test methods are ineffective.

That, and I'm not willing to setup something over here (even temporarily) wide open while someone else port-scans me. And that's the only way I can think of for truly testing; having one person sit with a computer on a DMZ with all those suspected services running while another person simply port-scans the other.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn

I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 12900+ messages currently using 406 MB.]]> http://www.dslreports.com/forum/remark,15506983 Sat, 18 Feb 2006 16:39:36 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15506771 jbob : I wonder if it's important to scan/check any ports above the highest one already listed, 1080? Shields Up also checks for ports 1720 and 5000. But Shields Up only checks the first 1056 service ports automatically. The rest have to be scanned individually one at a time. Is there any tests out there that will test all possible ports?]]> http://www.dslreports.com/forum/remark,15506771 Sat, 18 Feb 2006 16:01:26 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15506763 dpierce : I put one of my pcs in the dmz and turned off the firewall.. the screenshot is what I got.. with the firewall up.. everything except what I specifically opened is in stealth mode.

]]> http://www.dslreports.com/forum/remark,15506763 Sat, 18 Feb 2006 16:00:50 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15506642 Johkal : Check your IM.]]> http://www.dslreports.com/forum/remark,15506642 Sat, 18 Feb 2006 15:40:19 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15506363 MrChupacabra :

said by Johkal

:

Anyone else interested in verifying these ports?

What? Poke and prod at the system to see what it does? That sounds fun. Just let me know what you need to have done and what we will be using for the standards so that its all consistent.
--
Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction. --Albert Einstein]]> http://www.dslreports.com/forum/remark,15506363 Sat, 18 Feb 2006 14:55:06 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15505880 Johkal : Anyone else interested in verifying these ports?]]> http://www.dslreports.com/forum/remark,15505880 Sat, 18 Feb 2006 13:22:59 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15496851 Johkal :

said by Nerdtalker

:

For this to be successful, we need to establish some kind of common testing methodology instead of having everybody fend for themselves and create their own impromptu tests, otherwise we might be putting the validity of our results in question.

That's a great idea. Any suggestions on how to approach this?

I would leave this FAQ alone, but being 2 years old leaves some doubts. If the remaining ports are not confirmed blocked/not blocked, I will just add a note to the original FAQ as such.
--
Write me up for 125.......I Can't Drive 55 »redrocker.com/ »cabowabo.com/]]> http://www.dslreports.com/forum/remark,15496851 Fri, 17 Feb 2006 07:17:32 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15496768 MrChupacabra : Ok, after digging around at work before I left tonight I can't find any updated information on the blocked port list we have. That information hasn't been updated in 2 years or so. Its still considered the official comcast list of blocked ports though. Now as to whats blocked (tcp/udp/ect) I don't know.
--
Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction. --Albert Einstein]]> http://www.dslreports.com/forum/remark,15496768 Fri, 17 Feb 2006 06:35:20 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15496470 NormanS :

said by Johkal

:

Per this FAQ: »Comcast High Speed Internet FAQ »What ports does Comcast block?

"Comcast currently blocks ports 67, 68, 135-139, 445, 520, and 1080."

Are all of these ports still blocked?
Are there any additions?

DHCP, NetBIOS, SMB, RIP, and Socks4. All sources of potential, or actual abuse. I think you will be hard pressed to find a residential service which doesn't block some subset of those ports.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum]]> http://www.dslreports.com/forum/remark,15496470 Fri, 17 Feb 2006 02:56:51 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15495643 oldTDNickell : He's not the only one that has been absent.
We seemed to have lost alot of our top helpers.
I won't name names you guys know who they are.]]> http://www.dslreports.com/forum/remark,15495643 Thu, 16 Feb 2006 23:47:42 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15495608 jbob :

said by Nerdtalker

:

Also, the source of the information in the FAQ was Qumahlin

, an extremely reputable Comcast network engineer.

Who by the way hasn't posted since Dec 24th.

Having someone from Comcast say what they are blocking would indeed be the best option.]]> http://www.dslreports.com/forum/remark,15495608 Thu, 16 Feb 2006 23:41:10 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15495507 oldTDNickell :

said by Nerdtalker

:

Some of these are probably blocked in the .config file as well.

For this to be successful, we need to establish some kind of common testing methodology instead of having everybody fend for themselves and create their own impromptu tests, otherwise we might be putting the validity of our results in question.

Also, the source of the information in the FAQ was Qumahlin

, an extremely reputable Comcast network engineer.

I agree this FAQ should be left alone.]]> http://www.dslreports.com/forum/remark,15495507 Thu, 16 Feb 2006 23:29:47 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15495458 Nerdtalker : Some of these are probably blocked in the .config file as well.

For this to be successful, we need to establish some kind of common testing methodology instead of having everybody fend for themselves and create their own impromptu tests, otherwise we might be putting the validity of our results in question.

Also, the source of the information in the FAQ was Qumahlin

, an extremely reputable Comcast network engineer.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn

I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 12900+ messages currently using 406 MB.]]> http://www.dslreports.com/forum/remark,15495458 Thu, 16 Feb 2006 23:21:54 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15492619 NetFixer : I just temporarily disabled the software firewall on a Windows server and placed it in the DMZ on my Comcast router.

I can verify that Comcast is not blocking TCP port 53.

Ports 53, 67, 68 and 520 are usually associated with UDP rather than TCP, and UDP blocking is a bit more difficult to detect with an external passive port scanner. I suspect however, that Comcast and most ISP's who use DHCP for their clients would be blocking UDP ports 67 and 68 since otherwise a client's DHCP server could interfere with the ISP's network. Blocking port 520 UDP (RIP) is also difficult to detect, but it would make sense for an ISP to block it to prevent interference with their own routers.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
Test your firewall.]]> http://www.dslreports.com/forum/remark,15492619 Thu, 16 Feb 2006 17:35:22 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15492258 Johkal : So far it's been verified that these ports are blocked:
135-139
445
1080

Still need to verify:
67
68
520

Per MrChupacabra

; these ports may be blocked.
Need to verify:
53 Not Blocked (per NetFixer

)
55
77
--
Write me up for 125.......I Can't Drive 55 »redrocker.com/ »cabowabo.com/]]> http://www.dslreports.com/forum/remark,15492258 Thu, 16 Feb 2006 16:47:01 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15487075 anon : I only tested the the ports mentioned in this thread and found that 135-139, 445, and 1080 were blocked. I'm in Augusta, GA, so YMMV. ]]> http://www.dslreports.com/forum/remark,15487075 Wed, 15 Feb 2006 23:06:49 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15486364 oldTDNickell : I could be wrong,but i think all the info in this FAQ is still good.]]> http://www.dslreports.com/forum/remark,15486364 Wed, 15 Feb 2006 21:30:43 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15486211 Combat Chuck :

said by jjsk8r85

:

if I knew of any other way to test, I would. the only way I know of is to open those ports on another box within comcast's network and try to connect to it

Set you're firewall to respond to connection attempts with closed instead of just dropping them (Ie: turn off stealth mode) then run a security scan over at Gibsons site, whatever shows as stealth is probably blocked by Comcast. It's not 100% definitive but it'll do in most cases.
--
Asking those who disagree with you to find support of your arguements is like asking an assailant if you can borrow his gun.]]> http://www.dslreports.com/forum/remark,15486211 Wed, 15 Feb 2006 21:08:42 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15485136 jjsk8r85 : if I knew of any other way to test, I would. the only way I know of is to open those ports on another box within comcast's network and try to connect to it]]> http://www.dslreports.com/forum/remark,15485136 Wed, 15 Feb 2006 18:47:22 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15483511 MrChupacabra : From what I know, the ports 53, 55, 77, 135 - 139 and 445 are blocked and no others. I do not know about 1080. I'll have to look into that one.]]> http://www.dslreports.com/forum/remark,15483511 Wed, 15 Feb 2006 15:14:08 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15481838 Combat Chuck : I just tested and all that seems to be blocked in my area are 135-139, and 445. I think it is somewhat region dependant however.
--
Asking those who disagree with you to find support of your arguements is like asking an assailant if you can borrow his gun.]]> http://www.dslreports.com/forum/remark,15481838 Wed, 15 Feb 2006 11:31:28 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15481816 Johkal : I only have a Comcast e-mail account. Comcast is not my ISP yet. Maybe someone else would be so kind to try this.
--
Write me up for 125.......I Can't Drive 55 »redrocker.com/ »cabowabo.com/]]> http://www.dslreports.com/forum/remark,15481816 Wed, 15 Feb 2006 11:27:47 EDT Re: FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15481674 jjsk8r85 : I don't know, open up those ports on your firewall and let me telnet to em :P]]> http://www.dslreports.com/forum/remark,15481674 Wed, 15 Feb 2006 11:07:51 EDT FAQ # 10778 Blocked Ports http://www.dslreports.com/forum/remark,15481407 Johkal : Per this FAQ: »Comcast High Speed Internet FAQ »What ports does Comcast block?

"Comcast currently blocks ports 67, 68, 135-139, 445, 520, and 1080."

Are all of these ports still blocked?
Are there any additions?

Thank you!
--
Write me up for 125.......I Can't Drive 55 »redrocker.com/ »cabowabo.com/]]> http://www.dslreports.com/forum/remark,15481407 Wed, 15 Feb 2006 10:27:33 EDT