JohkalCool Cat MVM join:2002-11-13 Pennsyltucky
1 recommendation |
Johkal
MVM
2006-Feb-15 10:27 am
FAQ # 10778 Blocked PortsPer this FAQ: » Comcast High Speed Internet FAQ » What ports does Comcast block?"Comcast currently blocks ports 67, 68, 135-139, 445, 520, and 1080." Are all of these ports still blocked? Are there any additions? Thank you! |
|
|
|
I don't know, open up those ports on your firewall and let me telnet to em :P |
|
JohkalCool Cat MVM join:2002-11-13 Pennsyltucky |
Johkal
MVM
2006-Feb-15 11:27 am
I only have a Comcast e-mail account. Comcast is not my ISP yet. Maybe someone else would be so kind to try this. |
|
Combat ChuckToo Many Cannibals Premium Member join:2001-11-29 Verona, PA
1 recommendation |
to Johkal
I just tested and all that seems to be blocked in my area are 135-139, and 445. I think it is somewhat region dependant however. |
|
|
to Johkal
From what I know, the ports 53, 55, 77, 135 - 139 and 445 are blocked and no others. I do not know about 1080. I'll have to look into that one. |
|
|
to Johkal
if I knew of any other way to test, I would. the only way I know of is to open those ports on another box within comcast's network and try to connect to it |
|
Combat ChuckToo Many Cannibals Premium Member join:2001-11-29 Verona, PA |
said by jjsk8r85:if I knew of any other way to test, I would. the only way I know of is to open those ports on another box within comcast's network and try to connect to it Set you're firewall to respond to connection attempts with closed instead of just dropping them (Ie: turn off stealth mode) then run a security scan over at Gibsons site, whatever shows as stealth is probably blocked by Comcast. It's not 100% definitive but it'll do in most cases. |
|
|
to Johkal
I could be wrong,but i think all the info in this FAQ is still good. |
|
|
Dlazy to Johkal
Anon
2006-Feb-15 11:06 pm
to Johkal
I only tested the the ports mentioned in this thread and found that 135-139, 445, and 1080 were blocked. I'm in Augusta, GA, so YMMV. |
|
JohkalCool Cat MVM join:2002-11-13 Pennsyltucky 1 edit |
Johkal
MVM
2006-Feb-16 4:47 pm
So far it's been verified that these ports are blocked: 135-139 445 1080 Still need to verify: 67 68 520 Per MrChupacabra ; these ports may be blocked. Need to verify: 53 Not Blocked (per NetFixer ) 55 77 |
|
NetFixerFrom My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU
1 recommendation |
NetFixer
Premium Member
2006-Feb-16 5:35 pm
I just temporarily disabled the software firewall on a Windows server and placed it in the DMZ on my Comcast router.
I can verify that Comcast is not blocking TCP port 53.
Ports 53, 67, 68 and 520 are usually associated with UDP rather than TCP, and UDP blocking is a bit more difficult to detect with an external passive port scanner. I suspect however, that Comcast and most ISP's who use DHCP for their clients would be blocking UDP ports 67 and 68 since otherwise a client's DHCP server could interfere with the ISP's network. Blocking port 520 UDP (RIP) is also difficult to detect, but it would make sense for an ISP to block it to prevent interference with their own routers. |
|
NerdtalkerWorking Hard, Or Hardly Working? MVM join:2003-02-18 San Jose, CA |
to Johkal
Some of these are probably blocked in the .config file as well. For this to be successful, we need to establish some kind of common testing methodology instead of having everybody fend for themselves and create their own impromptu tests, otherwise we might be putting the validity of our results in question. Also, the source of the information in the FAQ was Qumahlin , an extremely reputable Comcast network engineer. |
|
|
said by Nerdtalker:Some of these are probably blocked in the .config file as well. For this to be successful, we need to establish some kind of common testing methodology instead of having everybody fend for themselves and create their own impromptu tests, otherwise we might be putting the validity of our results in question. Also, the source of the information in the FAQ was Qumahlin , an extremely reputable Comcast network engineer. I agree this FAQ should be left alone. |
|
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR ·Comcast XFINITY Asus GT-AX6000 Asus RT-AC66U B1
|
to Nerdtalker
said by Nerdtalker:Also, the source of the information in the FAQ was Qumahlin , an extremely reputable Comcast network engineer. Who by the way hasn't posted since Dec 24th. Having someone from Comcast say what they are blocking would indeed be the best option. |
|
|
He's not the only one that has been absent. We seemed to have lost alot of our top helpers. I won't name names you guys know who they are. |
|
NormanSI gave her time to steal my mind away MVM join:2001-02-14 San Jose, CA TP-Link TD-8616 Asus RT-AC66U B1 Netgear FR114P
|
to Johkal
DHCP, NetBIOS, SMB, RIP, and Socks4. All sources of potential, or actual abuse. I think you will be hard pressed to find a residential service which doesn't block some subset of those ports. |
|
|
to Johkal
Ok, after digging around at work before I left tonight I can't find any updated information on the blocked port list we have. That information hasn't been updated in 2 years or so. Its still considered the official comcast list of blocked ports though. Now as to whats blocked (tcp/udp/ect) I don't know. |
|
JohkalCool Cat MVM join:2002-11-13 Pennsyltucky
1 recommendation |
to Nerdtalker
said by Nerdtalker:For this to be successful, we need to establish some kind of common testing methodology instead of having everybody fend for themselves and create their own impromptu tests, otherwise we might be putting the validity of our results in question. That's a great idea. Any suggestions on how to approach this? I would leave this FAQ alone, but being 2 years old leaves some doubts. If the remaining ports are not confirmed blocked/not blocked, I will just add a note to the original FAQ as such. |
|
Johkal |
Johkal
MVM
2006-Feb-18 1:22 pm
Anyone else interested in verifying these ports? |
|
|
said by Johkal:Anyone else interested in verifying these ports? What? Poke and prod at the system to see what it does? That sounds fun. Just let me know what you need to have done and what we will be using for the standards so that its all consistent. |
|
JohkalCool Cat MVM join:2002-11-13 Pennsyltucky |
Johkal
MVM
2006-Feb-18 3:40 pm
Check your IM. |
|
dpierceLazyrabbitt Premium Member join:2002-09-30 Gaithersburg, MD |
to Johkal
I put one of my pcs in the dmz and turned off the firewall.. the screenshot is what I got.. with the firewall up.. everything except what I specifically opened is in stealth mode. |
|
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR ·Comcast XFINITY Asus GT-AX6000 Asus RT-AC66U B1
|
to Johkal
I wonder if it's important to scan/check any ports above the highest one already listed, 1080? Shields Up also checks for ports 1720 and 5000. But Shields Up only checks the first 1056 service ports automatically. The rest have to be scanned individually one at a time. Is there any tests out there that will test all possible ports? |
|
NerdtalkerWorking Hard, Or Hardly Working? MVM join:2003-02-18 San Jose, CA |
to Johkal
The thing is, it's unclear whether the ports are blocked only in a certain direction, or both. That's why certain test methods are ineffective.
That, and I'm not willing to setup something over here (even temporarily) wide open while someone else port-scans me. And that's the only way I can think of for truly testing; having one person sit with a computer on a DMZ with all those suspected services running while another person simply port-scans the other. |
|
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR ·Comcast XFINITY Asus GT-AX6000 Asus RT-AC66U B1
|
jbob
Premium Member
2006-Feb-18 4:52 pm
said by Nerdtalker:The thing is, it's unclear whether the ports are blocked only in a certain direction, or both. That's why certain test methods are ineffective. That is a question I have as well. I will setup a system fully open. I have them to spare so that's not an issue. lol One question I have is whether using WinXP Pro fully patched will allow for fully checking of open ports since MS has closed certain ones with patches for security reasons. Maybe using Win98SE would be a better OS to test with or would a *nix distro be a better choice. Also asking if there are any other tests that will test more than the standard ones that Shields Up tests for automatically. Shields Up will test all the ones above 1056 but it has to be done manually and one at a time. As I mentioned to johkal with all the Comcast Comm Techs we have on here I don't know why we can't get a simple answer from them. Not that they would know but perhaps they could contact the network engineers and find out for sure. |
|
dpierceLazyrabbitt Premium Member join:2002-09-30 Gaithersburg, MD |
dpierce
Premium Member
2006-Feb-18 4:55 pm
You could get a friend to use nmap to do a full scan on your system once it is in a dmz.. » www.insecure.org/nmap/ |
|
NerdtalkerWorking Hard, Or Hardly Working? MVM join:2003-02-18 San Jose, CA |
to jbob
said by jbob:One question I have is whether using WinXP Pro fully patched will allow for fully checking of open ports since MS has closed certain ones with patches for security reasons. Maybe using Win98SE would be a better OS to test with or would a *nix distro be a better choice. Also asking if there are any other tests that will test more than the standard ones that Shields Up tests for automatically. Shields Up will test all the ones above 1056 but it has to be done manually and one at a time. It doesn't matter, really. Find a service that runs on one of those ports, and it'll be open. Just run "netstat -an" (without quotes of course) from a command prompt and you can see what ports are open, closed, e.t.c. As for finding a good service to test the ports, just throw your public IP up here and I'm sure someone (myself included) will gladly portscan you and post back with the results. |
|
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR ·Comcast XFINITY Asus GT-AX6000 Asus RT-AC66U B1
2 edits
1 recommendation |
jbob
Premium Member
2006-Feb-18 7:42 pm
Check your PM. Ah what the heck. Here's my open IP as of now: 69.247.119.228. No firewall or NAT. A quick check with Shields Up showed ports 113, 135-139 and 445 as stealth. All others below 1056 showed Closed. I'll have it open from 7 to 8 pm CST |
|
|
Dlazy
Anon
2006-Feb-18 9:35 pm
Is Shields Up testing both TCP and UDP? NetFixer made an excellent point back on page one. |
|
NormanSI gave her time to steal my mind away MVM join:2001-02-14 San Jose, CA TP-Link TD-8616 Asus RT-AC66U B1 Netgear FR114P
|
to dpierce
What you should do is not turn the firewall off completely; rather, temporarily "trust" the source IP address that is probing your computer. In that way, the test site will react as if the DMZ computer had no firewall, but, to the rest of the Internet, access to your computer is still blocked. |
|