EliteDataEliteData Premium Member join:2003-07-06 Philippines |
EliteData
Premium Member
2015-Feb-26 12:13 pm
net neutrality & cablevision's blocked ports.how will this affect the current ports blocked ? ports blocked at modem level: 8080, 1080, 3128, 6588 ports blocked at CMTS level: 135, 136, 137, 138, 139 (port 80 & 25 are blocked but can be activated by subscribing to a higher subscription tier level) |
|
|
I don't see anything changing. They aren't doing anything to promote their internal service & discourage competition. I'm sure it will fall under reasonable network management. |
|
|
EliteDataEliteData Premium Member join:2003-07-06 Philippines
1 recommendation |
said by frdrizzt:I don't see anything changing. They aren't doing anything to promote their internal service & discourage competition. I'm sure it will fall under reasonable network management. i dont understand what the current purpose and reason is to blocking 8080, 1080, 3128 & 6588 at modem level. if someone is going to be intent on operating a server, they will just use use another port. these ports should be allowed to be toggled if the user is subscribed to the tier that allows you to toggle port 80 & 25. |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA
1 recommendation |
to EliteData
The basics of the Net Neutrality rules were put into place to keep ISPs from charging web sites to deliver the packets customers had requested. While these rules will of course be open to interpretation the FCC has indicated they they do not intend to use them to regulate ISP/End User interactions. So you can debate that not allowing an end user to utilize a specific port is a violation of net neutrality, I suspect that at least in the near term port blocking will not be affected. |
|
EliteDataEliteData Premium Member join:2003-07-06 Philippines
1 recommendation |
it seems after some more research, one would have to subscribe to a "static ip" to enable those ports. as far as im concerned, those ports should be included for those that subscribe to an "ultra" tier since port 80 & 25 are already included with the "ultra" tier, why not the rest of the ports ? why should i have to pay extra to have ports that should be included with port 80 & 25 ? quote: "Use of port 8080, 1080, 3128 and 6588 must ensure that the services running over these ports are secured and do not violate the Acceptable Use Policy and maintain the security of those services on an ongoing basis."
|
|
2 recommendations |
to EliteData
said by EliteData:i dont understand what the current purpose and reason is to blocking 8080, 1080, 3128 & 6588 at modem level. if someone is going to be intent on operating a server, they will just use use another port. They're common ports that are scanned for services by bots. A guy hosting a web site or RDP server on something like port 1344 won't be picked up by the majority of bots that are seeking exploitable systems. |
|
EliteDataEliteData Premium Member join:2003-07-06 Philippines 4 edits
1 recommendation |
said by urbanriot:said by EliteData:i dont understand what the current purpose and reason is to blocking 8080, 1080, 3128 & 6588 at modem level. if someone is going to be intent on operating a server, they will just use use another port. They're common ports that are scanned for services by bots. A guy hosting a web site or RDP server on something like port 1344 won't be picked up by the majority of bots that are seeking exploitable systems. i understand that, but there are bots out there constantly scanning port 3389 (remote desktop) and any other listening ports on a windows system that are not filtered by the OS itself or by CV. if CV is going to block "some" common ports used by bots/trojans, might as well go ahead and block all of the common ones because 8080, 1080, 3128 & 6588 arent the only common ports used by bots/trojans. sure 8080, 1080, 3128 & 6588 were popular years back (subseven/mydoom/etc) but are they popular enough now to warrant the continuation of being blocked today ? if someone is intent on operating a server that uses those ports by default, it could just be changed to use a different port easily. my point is, why bother blocking those ports ? does it really make any difference ? i pay a premium for internet and my stance is i should be getting what im paying for, including ports and protocols that are blocked for what i discern are stupid useless reasons. sure i could go pay for "business" class or static ip service, but what for ? to regain the ports that i should be entitled to use should i choose to use them ? if i am entitled to use port 80 & 25 as a "service", i should be entitled to use 8080, 1080, 3128 & 6588 since those ports are defined as "services" like port 80 and port 25. dont tell me i can operate a mail and webserver but cannot operate a proxy/web cache/squid server. thats like giving me the keys to the vehicle, allowing me to start it but not allowing me to use it. |
|
1 recommendation |
said by EliteData:my point is, why bother blocking those ports ? does it really make any difference ? Yes. Keep in mind they're protecting their client base overall and plenty of routers have remote administration enabled either by default or by dumb people and as such they've blocked access to malicious people. Port 8080 is one such port, regularly used for remote management. While this might agitate you, I expect there's far more people this protects and as far as many providers are concerned, they'd rather have safety and security over a handful of annoyed enthusiasts. More safety & security = less support calls. |
|
EliteDataEliteData Premium Member join:2003-07-06 Philippines
1 recommendation |
i completely understand this. and i also understand why 135-139 is blocked too. but aside from 8080 being blocked for "security" reasons, having the remainder of the ports blocked 1080, 3128 & 6588, seems a bit ridiculous to me when 445 is not blocked at all. |
|
1 recommendation |
I'd suggest asking support behind their reasoning on those ports as I expect the reasons are not arbitrary and they may have information that's not within our purview.
I recognize 3128 as the default Squid proxy port but that's more of an internal use port... Port 6588 is the same with another lesser used proxy. However both ports are regularly scanned by bots and I'm sure you'd see this with firewalls on your end.
It is a bit overkill but I'd suggest asking them what they think... maybe you could convince them! |
|
1 recommendation |
The ports are not blocked for people that can look at firewall logs.
They were blocked during a time when the majority of people did not have a router. Back then, it made a lot of sense - at the risk of causing some (really) minor annoyance for people using their service to host servers, which is against the ToS anyway, they blocked the ports to prevent very common worms and attacks from spreading on their network.
Now that most people have routers, it's true blocking these ports doesn't really provide much extra security. But the level of inconvenience to people that might be using the ports is still incredibly minor. I think you'll find it impossible to convince CV to change it or anybody there to even care.. because, why? |
|
mbernste MVM join:2001-06-30 Piscataway, NJ
1 recommendation |
said by Thinkdiff:people using their service to host servers, which is against the ToS anyway Actually ports 80 and 25 aren't against the TOS if you have Ultra 101, there's even a site on Cablevision's web site to open those ports on your modem. |
|
1 recommendation |
said by mbernste:said by Thinkdiff:people using their service to host servers, which is against the ToS anyway Actually ports 80 and 25 aren't against the TOS if you have Ultra 101, there's even a site on Cablevision's web site to open those ports on your modem. Yes.. I know.. We were talking about the ports that cannot be opened. And any level of Ultra service will allow you to open the ports (Ultra 50/75/101). Unless they've changed it, the Ultra ToS (non-business, non-static) used to state it only allows "web" and "email" servers, making it against the ToS to run a server on 3128, 8080, etc. |
|
EliteDataEliteData Premium Member join:2003-07-06 Philippines
1 recommendation |
said by Thinkdiff:said by mbernste:said by Thinkdiff:people using their service to host servers, which is against the ToS anyway Actually ports 80 and 25 aren't against the TOS if you have Ultra 101, there's even a site on Cablevision's web site to open those ports on your modem. Yes.. I know.. We were talking about the ports that cannot be opened. And any level of Ultra service will allow you to open the ports (Ultra 50/75/101). Unless they've changed it, the Ultra ToS (non-business, non-static) used to state it only allows "web" and "email" servers, making it against the ToS to run a server on 3128, 8080, etc. the TOS for residential customers still says this. no proxy/squid server allowed (includes but not limited to). its unlikely anyone in the NY area using optimum is operating a proxy/squid server to begin with but its likely another legit program and not necessarily a server, uses default port 3128 or 6588. so if i am allowed to operate a http web server and i want to incorporate a squid http cache server with my http web server, i am simply not allowed ? » www.squid-cache.org/ |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA |
So you go into a restaurant, they have a Hamburger and a Hamburger Platter. The hamburger does not have fries or salad, the Hamburger platter does. Do you claim it is unfair that when you order a Hamburger it does not come with fries?
There is a big difference between charging sites to deliver the traffic your customers have paid to receive and setting up different tiers with different offerings. Does CV have the right to consider a Squid cache a Business offering, you certainly can disagree, but there is a reasonable argument to be made that companies have a right to have differentiated product offerings. |
|
1 recommendation |
to urbanriot
said by urbanriot:I'd suggest asking support behind their reasoning on those ports as I expect the reasons are not arbitrary and they may have information that's not within our purview.
I recognize 3128 as the default Squid proxy port but that's more of an internal use port... Port 6588 is the same with another lesser used proxy. However both ports are regularly scanned by bots and I'm sure you'd see this with firewalls on your end.
It is a bit overkill but I'd suggest asking them what they think... maybe you could convince them! I'd suggest not asking them why, because the people in the basic support are many pay grades below those who have meaningful network management discussion. I would guess that the reason they are in place is because for the minor possibility of still being relevant, there is a much less chance of someone needing those ports. I was in their tech support for almost 5 years, and never got a complaint about failed services on ports 1080, 3128, 6588. I had people ask about opening "all ports", but not once actually needing to use those ports. It's not an indication that no one wants it, but it's a pretty clear overall picture. |
|
EliteDataEliteData Premium Member join:2003-07-06 Philippines
1 recommendation |
to TheWiseGuy
said by TheWiseGuy:So you go into a restaurant, they have a Hamburger and a Hamburger Platter. The hamburger does not have fries or salad, the Hamburger platter does. Do you claim it is unfair that when you order a Hamburger it does not come with fries? if ordering a hamburger (80), you get the burger without the buns (3128) because the chef says buns (3128) are not allowed. (http webserver without http squid cache) quoting from the TOS: quote: Users may not run any type of server on the system. This includes but is not limited to FTP, IRC, SMTP, POP, HTTP, SOCKS, SQUID, DNS or any multi-user forums
so why block a few ports for a few services (3128 & 6588)? why not block all the possible ports that "any type of server" can operate on. maybe it was a matter of security years ago as it was from what i can remember (subseven/mydoom), but i certainly dont believe it is a matter of security today. |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA
1 recommendation |
said by EliteData:if ordering a hamburger (80), you get the burger without the buns (3128) because the chef says buns (3128) are not allowed. (http webserver without http squid cache) Of course anyone can define what is and isn't essentially a part of one product. You claim that a squid proxy is a vital part of a web server, can you run a web server without one? Of course. CV can claim that a squid proxy is really part of a Business Http service, who is right, does it make it more efficient to run a squid proxy in some cases, is it a vital part of running a web server, you can claim it is. Good luck. |
|
EliteDataEliteData Premium Member join:2003-07-06 Philippines
1 recommendation |
a bun is not vital to the burger as one can eat the burger without the bun. we all understand why 135-139 are blocked but why not 445 ? 445 used to be blocked back when XP was the popular OS of choice, 445 was considered a "security risk". why allow this port now and not the rest ? |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA
1 recommendation |
Actually a bun is part of a Hamburger, there is another name for ground beef without a bun, a fancy one but it does not come to mind at this point. |
|
voipguy join:2006-05-31 Forest Hills, NY
1 recommendation |
voipguy
Member
2015-Feb-27 12:37 pm
Salisbury Steak? |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA |
That was the one I was thinking of at the time but I also think you can call it a ground beef steak or several other things. |
|
·Frontier FiberOp..
1 recommendation |
to EliteData
In the past, running servers behind a cable modem tied to a residential account was explicitly disallowed. If you wanted servers, you had to order BOOL. In my experience, BOOL was the same OOL with a different price tag.
Now, the only distinction as it pertains to running servers in the HFC side of the Cablevision network seems to be whether you add Ultra to the account or not. If you don't, it's not allowed. If you do, it is.
The distinction between the tiers does not discriminate the traffic traversing the network as none of this traffic is; as far as I can tell right now as I do run servers behind my cable modem; throttled, prioritized or otherwise inhibited for lack of a "fast lane" toll or sponsored arrangement.
I do subscribe to Ultra 50, so perhaps someone else who subscribes to Ultra 101 who also runs servers behind it can attest to this. |
|
Millwood Premium Member join:2002-04-27 Millwood, NY |
to EliteData
I'm curious about the definition of a "server". Does it mean any connection initiated from the outside to an open port?
Or does it mean providing a service through an open port.
Specifically, is using an open port to get personal access to the home network when away from home violating the server rule? |
|
EliteDataEliteData Premium Member join:2003-07-06 Philippines
2 recommendations |
to TheWiseGuy
said by TheWiseGuy:That was the one I was thinking of at the time but I also think you can call it a ground beef steak or several other things. chopped steak |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA
1 recommendation |
to Millwood
Unfortunately they do not define server which gives them a wide latitude.
That said, over the last 25 years they have never, to my knowledge cared if you did run a low bandwidth server (simply because it was a server) and in the last 8 or so years never bothered doing anything about even high bandwidth servers (simply because it was a server). |
|
EliteDataEliteData Premium Member join:2003-07-06 Philippines
1 recommendation |
said by TheWiseGuy:Unfortunately they do not define server which gives them a wide latitude.
That said, over the last 25 years they have never, to my knowledge cared if you did run a low bandwidth server (simply because it was a server) and in the last 8 or so years never bothered doing anything about even high bandwidth servers (simply because it was a server). then i dont see a valid point to blocking those ports i specified. they were blocked years ago because of a large outbreak of network propagated trojans and those trojans are really not a valid point in the present time to warrant those ports still being blocked. the same situation happened years ago with port 445 (messenger service), it was blocked years ago due to massive spam coming across windows XP machines that had the messenger service turned on by default but as of now, port 445 is no longer blocked. |
|
|
You may not see it as a relevant justification, but can you define it as a violation of net neutrality? I don't feel it is. |
|
RickNY Premium Member join:2000-11-02 Bellport, NY
1 recommendation |
to EliteData
said by EliteData:so if i am allowed to operate a http web server and i want to incorporate a squid http cache server with my http web server, i am simply not allowed ? »www.squid-cache.org/ If your intent was really to run a squid proxy server for caching, why would you be running it with its listening port exposed externally? Just curious.. |
|
EliteDataEliteData Premium Member join:2003-07-06 Philippines |
to frdrizzt
said by frdrizzt:I don't see anything changing. They aren't doing anything to promote their internal service & discourage competition. I'm sure it will fall under reasonable network management. |
|