dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
37102

Johkal
Cool Cat
MVM
join:2002-11-13
Pennsyltucky

1 recommendation

Johkal

MVM

FAQ # 10778 Blocked Ports

Per this FAQ: »Comcast High Speed Internet FAQ »What ports does Comcast block?

"Comcast currently blocks ports 67, 68, 135-139, 445, 520, and 1080."

Are all of these ports still blocked?
Are there any additions?

Thank you!

jjsk8r85
join:2005-02-17
Belleville, MI

jjsk8r85

Member

I don't know, open up those ports on your firewall and let me telnet to em :P

Johkal
Cool Cat
MVM
join:2002-11-13
Pennsyltucky

Johkal

MVM

I only have a Comcast e-mail account. Comcast is not my ISP yet. Maybe someone else would be so kind to try this.

Combat Chuck
Too Many Cannibals
Premium Member
join:2001-11-29
Verona, PA

1 recommendation

Combat Chuck to Johkal

Premium Member

to Johkal
I just tested and all that seems to be blocked in my area are 135-139, and 445. I think it is somewhat region dependant however.

MrChupacabra
Premium Member
join:2003-03-26
Florida

MrChupacabra to Johkal

Premium Member

to Johkal
From what I know, the ports 53, 55, 77, 135 - 139 and 445 are blocked and no others. I do not know about 1080. I'll have to look into that one.

jjsk8r85
join:2005-02-17
Belleville, MI

jjsk8r85 to Johkal

Member

to Johkal
if I knew of any other way to test, I would. the only way I know of is to open those ports on another box within comcast's network and try to connect to it

Combat Chuck
Too Many Cannibals
Premium Member
join:2001-11-29
Verona, PA

Combat Chuck

Premium Member

said by jjsk8r85:

if I knew of any other way to test, I would. the only way I know of is to open those ports on another box within comcast's network and try to connect to it
Set you're firewall to respond to connection attempts with closed instead of just dropping them (Ie: turn off stealth mode) then run a security scan over at Gibsons site, whatever shows as stealth is probably blocked by Comcast. It's not 100% definitive but it'll do in most cases.

oldTDNickell5
Premium Member
join:2000-12-19
Federal Way, WA

oldTDNickell5 to Johkal

Premium Member

to Johkal
I could be wrong,but i think all the info in this FAQ is still good.

Dlazy
@comcast.net

Dlazy to Johkal

Anon

to Johkal
I only tested the the ports mentioned in this thread and found that 135-139, 445, and 1080 were blocked. I'm in Augusta, GA, so YMMV.

Johkal
Cool Cat
MVM
join:2002-11-13
Pennsyltucky

1 edit

Johkal

MVM

So far it's been verified that these ports are blocked:
135-139
445
1080

Still need to verify:
67
68
520

Per MrChupacabra See Profile; these ports may be blocked.
Need to verify:
53 Not Blocked (per NetFixer See Profile)
55
77

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 recommendation

NetFixer

Premium Member

I just temporarily disabled the software firewall on a Windows server and placed it in the DMZ on my Comcast router.

I can verify that Comcast is not blocking TCP port 53.

Ports 53, 67, 68 and 520 are usually associated with UDP rather than TCP, and UDP blocking is a bit more difficult to detect with an external passive port scanner. I suspect however, that Comcast and most ISP's who use DHCP for their clients would be blocking UDP ports 67 and 68 since otherwise a client's DHCP server could interfere with the ISP's network. Blocking port 520 UDP (RIP) is also difficult to detect, but it would make sense for an ISP to block it to prevent interference with their own routers.

Nerdtalker
Working Hard, Or Hardly Working?
MVM
join:2003-02-18
San Jose, CA

Nerdtalker to Johkal

MVM

to Johkal
Some of these are probably blocked in the .config file as well.

For this to be successful, we need to establish some kind of common testing methodology instead of having everybody fend for themselves and create their own impromptu tests, otherwise we might be putting the validity of our results in question.

Also, the source of the information in the FAQ was Qumahlin See Profile, an extremely reputable Comcast network engineer.

oldTDNickell5
Premium Member
join:2000-12-19
Federal Way, WA

oldTDNickell5

Premium Member

said by Nerdtalker:

Some of these are probably blocked in the .config file as well.

For this to be successful, we need to establish some kind of common testing methodology instead of having everybody fend for themselves and create their own impromptu tests, otherwise we might be putting the validity of our results in question.

Also, the source of the information in the FAQ was Qumahlin See Profile, an extremely reputable Comcast network engineer.
I agree this FAQ should be left alone.

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
·Comcast XFINITY
Asus GT-AX6000
Asus RT-AC66U B1

jbob to Nerdtalker

Premium Member

to Nerdtalker
said by Nerdtalker:

Also, the source of the information in the FAQ was Qumahlin See Profile, an extremely reputable Comcast network engineer.
Who by the way hasn't posted since Dec 24th.

Having someone from Comcast say what they are blocking would indeed be the best option.

oldTDNickell5
Premium Member
join:2000-12-19
Federal Way, WA

oldTDNickell5

Premium Member

He's not the only one that has been absent.
We seemed to have lost alot of our top helpers.
I won't name names you guys know who they are.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS to Johkal

MVM

to Johkal
said by Johkal:

Per this FAQ: »Comcast High Speed Internet FAQ »What ports does Comcast block?

"Comcast currently blocks ports 67, 68, 135-139, 445, 520, and 1080."

Are all of these ports still blocked?
Are there any additions?
DHCP, NetBIOS, SMB, RIP, and Socks4. All sources of potential, or actual abuse. I think you will be hard pressed to find a residential service which doesn't block some subset of those ports.

MrChupacabra
Premium Member
join:2003-03-26
Florida

MrChupacabra to Johkal

Premium Member

to Johkal
Ok, after digging around at work before I left tonight I can't find any updated information on the blocked port list we have. That information hasn't been updated in 2 years or so. Its still considered the official comcast list of blocked ports though. Now as to whats blocked (tcp/udp/ect) I don't know.

Johkal
Cool Cat
MVM
join:2002-11-13
Pennsyltucky

1 recommendation

Johkal to Nerdtalker

MVM

to Nerdtalker
said by Nerdtalker:

For this to be successful, we need to establish some kind of common testing methodology instead of having everybody fend for themselves and create their own impromptu tests, otherwise we might be putting the validity of our results in question.

That's a great idea. Any suggestions on how to approach this?

I would leave this FAQ alone, but being 2 years old leaves some doubts. If the remaining ports are not confirmed blocked/not blocked, I will just add a note to the original FAQ as such.
Johkal

Johkal

MVM

Anyone else interested in verifying these ports?

MrChupacabra
Premium Member
join:2003-03-26
Florida

MrChupacabra

Premium Member

said by Johkal:

Anyone else interested in verifying these ports?
What? Poke and prod at the system to see what it does? That sounds fun. Just let me know what you need to have done and what we will be using for the standards so that its all consistent.

Johkal
Cool Cat
MVM
join:2002-11-13
Pennsyltucky

Johkal

MVM

Check your IM.

dpierce
Lazyrabbitt
Premium Member
join:2002-09-30
Gaithersburg, MD

dpierce to Johkal

Premium Member

to Johkal
Click for full size
I put one of my pcs in the dmz and turned off the firewall.. the screenshot is what I got.. with the firewall up.. everything except what I specifically opened is in stealth mode.

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
·Comcast XFINITY
Asus GT-AX6000
Asus RT-AC66U B1

jbob to Johkal

Premium Member

to Johkal
I wonder if it's important to scan/check any ports above the highest one already listed, 1080? Shields Up also checks for ports 1720 and 5000. But Shields Up only checks the first 1056 service ports automatically. The rest have to be scanned individually one at a time. Is there any tests out there that will test all possible ports?

Nerdtalker
Working Hard, Or Hardly Working?
MVM
join:2003-02-18
San Jose, CA

Nerdtalker to Johkal

MVM

to Johkal
The thing is, it's unclear whether the ports are blocked only in a certain direction, or both. That's why certain test methods are ineffective.

That, and I'm not willing to setup something over here (even temporarily) wide open while someone else port-scans me. And that's the only way I can think of for truly testing; having one person sit with a computer on a DMZ with all those suspected services running while another person simply port-scans the other.

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
·Comcast XFINITY
Asus GT-AX6000
Asus RT-AC66U B1

jbob

Premium Member

said by Nerdtalker:

The thing is, it's unclear whether the ports are blocked only in a certain direction, or both. That's why certain test methods are ineffective.
That is a question I have as well. I will setup a system fully open. I have them to spare so that's not an issue. lol
One question I have is whether using WinXP Pro fully patched will allow for fully checking of open ports since MS has closed certain ones with patches for security reasons. Maybe using Win98SE would be a better OS to test with or would a *nix distro be a better choice.

Also asking if there are any other tests that will test more than the standard ones that Shields Up tests for automatically. Shields Up will test all the ones above 1056 but it has to be done manually and one at a time.

As I mentioned to johkal with all the Comcast Comm Techs we have on here I don't know why we can't get a simple answer from them. Not that they would know but perhaps they could contact the network engineers and find out for sure.

dpierce
Lazyrabbitt
Premium Member
join:2002-09-30
Gaithersburg, MD

dpierce

Premium Member

You could get a friend to use nmap to do a full scan on your system once it is in a dmz.. »www.insecure.org/nmap/

Nerdtalker
Working Hard, Or Hardly Working?
MVM
join:2003-02-18
San Jose, CA

Nerdtalker to jbob

MVM

to jbob
said by jbob:

One question I have is whether using WinXP Pro fully patched will allow for fully checking of open ports since MS has closed certain ones with patches for security reasons. Maybe using Win98SE would be a better OS to test with or would a *nix distro be a better choice.

Also asking if there are any other tests that will test more than the standard ones that Shields Up tests for automatically. Shields Up will test all the ones above 1056 but it has to be done manually and one at a time.
It doesn't matter, really. Find a service that runs on one of those ports, and it'll be open. Just run "netstat -an" (without quotes of course) from a command prompt and you can see what ports are open, closed, e.t.c.

As for finding a good service to test the ports, just throw your public IP up here and I'm sure someone (myself included) will gladly portscan you and post back with the results.

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
·Comcast XFINITY
Asus GT-AX6000
Asus RT-AC66U B1

2 edits

1 recommendation

jbob

Premium Member

Check your PM. Ah what the heck. Here's my open IP as of now: 69.247.119.228. No firewall or NAT.
A quick check with Shields Up showed ports 113, 135-139 and 445 as stealth. All others below 1056 showed Closed.
I'll have it open from 7 to 8 pm CST

Dlazy
@comcast.net

Dlazy

Anon

Is Shields Up testing both TCP and UDP? NetFixer See Profile made an excellent point back on page one.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS to dpierce

MVM

to dpierce
What you should do is not turn the firewall off completely; rather, temporarily "trust" the source IP address that is probing your computer. In that way, the test site will react as if the DMZ computer had no firewall, but, to the rest of the Internet, access to your computer is still blocked.