Hard port blocking

**parthenon** · 02-09-2008, 11:26 AM

I have noticed that when I am connecting to my http server (port 80) or sshd daemon from my home computer I'm receiving "Host unreachable" answer from time to time (sufficiently rarely). After pressing "try again" browser button I'm receiving correct result.

After some investigation of this situation I have discovered some regularity using netstat utility.

When my local computer ports in TCP connection are coincide with some list of well-known ports, such as 1182, 1080, 3128, 6667 and so on, any packets between my computer and server are being blocked and connection on my computer is staying in SYN state, sufficiently for a long time.

My conclusion is that jasguarpc routers block ALL TCP packets with destination port from this list, not only packets outgoing from servers, but also packets answered to client computers connection request.

If I'm right, such hard blocking is worsen client servers reachability.

**Gwaihir** · 02-09-2008, 12:52 PM

Were you able to test where in the connection between your browser and the server this blocking happens? Sounds to me like something that could just as easily be caused by a poorly configured home firewall or router, or an over eager ISP. Hence the question: have you been able to pinpoint it?

**the_ancient** · 02-09-2008, 04:16 PM

Originally Posted by Gwaihir

Were you able to test where in the connection between your browser and the server this blocking happens? Sounds to me like something that could just as easily be caused by a poorly configured home firewall or router, or an over eager ISP. Hence the question: have you been able to pinpoint it?

ComCast is notorious for blocking common ports in a effort to "stop the evil p2p"

After all they dont want you to actually use the internet for any other than web browsing and email, that is all so all you need is 80 and 110 right

**parthenon** · 02-09-2008, 04:57 PM

Originally Posted by Gwaihir

Were you able to test where in the connection between your browser and the server this blocking happens? Sounds to me like something that could just as easily be caused by a poorly configured home firewall or router, or an over eager ISP. Hence the question: have you been able to pinpoint it?

As I had mentioned above by netstat utility, for example (netstat -an, ports and IP only as example)
TCP xx:1082 69.73.138.xx:80 SYN_SENT
TCP xx:1084 69.73.138.xx:80 ESTABLISHED
TCP xx:1085 69.73.138.xx:80 ESTABLISHED
There is no such behaviour was observed for other networks.
Of course, there is very difficult for me to repeat such behaviour without special programming and to find out the reason correctly, but my sufficiently long user parallel experience with jaguarpc and other hostings is suggested me the above mentioned reason.

**Gwaihir** · 02-10-2008, 05:30 AM

Originally Posted by the_ancient

After all they dont want you to actually use the internet for any other than web browsing and email, that is all so all you need is 80 and 110 right

That's not quite how it works. Port 80 is only the "doorbell" that the http server listens to. A browser contacts the server on port 80 from some other port. The webserver responds to that other port on the client, itself picking a port different from 80 to send from as well. So, even when "just webbrowsing", you do use other ports too. The topic starter is describing that he finds traffic blocked when coming from some of the usual ports involved.

I've tried to reproduce those results. I've not stared at such before, but nevertheless I doubt I'm seeing anything unusual from here. I do occasionally see a SYN_SENT status, but it doesn't stick around. I could simply catch a connection at that stage occasionally, no? It is after all 0.125 seconds round trip to the server (from here).

**parthenon** · 02-10-2008, 04:35 PM

Originally Posted by Gwaihir

I've tried to reproduce those results. I've not stared at such before, but nevertheless I doubt I'm seeing anything unusual from here. I do occasionally see a SYN_SENT status, but it doesn't stick around. I could simply catch a connection at that stage occasionally, no? It is after all 0.125 seconds round trip to the server (from here).

I have written simple Perl script to reproduce situation (below). It seems I'm right and I have found many such blocked ports...

Code:

#!/usr/bin/perl

use Socket;

$remote  = '69.73.xx.xx';
$iaddr   = inet_aton($remote) || die "no host: $remote";
$paddr   = sockaddr_in(80, $iaddr);
$proto   = getprotobyname('tcp');
%badPorts=();

for ($i=0; $i < 9000; $i++){
 if (socket(SOCK, PF_INET, SOCK_STREAM, $proto)){
  if (connect(SOCK, $paddr)){
   $mysockaddr = getsockname(SOCK);
   ($myport, $myaddr) = sockaddr_in($mysockaddr);
   $peeraddr = getpeername(SOCK);
   ($rport, $raddr) = sockaddr_in($peeraddr);
   print inet_ntoa($myaddr).":$myport > ".inet_ntoa($raddr).":$rport\n";
   close(SOCK);
   sleep 1 unless $i % 8;
  } else {
    $mysockaddr = getsockname(SOCK);
    ($myport, $myaddr) = sockaddr_in($mysockaddr);
    warn "\aconnect: $!, port $myport";
    $badPorts{$myport}++;
  }
 } else {
  warn "\asocket: $!";
 }
}

open(LIST,">>blocked.txt");
print "blocked ports: ";
foreach my $i (keys %badPorts){
 print "$i ";
 print LIST "$i\n";
}
close LIST;

#cat blocked.txt
1075
1080
1180
1214
1234
1433
1524
3127
3128
3802
4444
4660
4663
4666
4669
4676
5000

**Ron** · 02-10-2008, 09:53 PM

Check you own router or firewall software. Sometimes when they detect or think they are detecting an attack they close the ports dynamically.

Just a thought.

grc.com used to have a good inbound port scanner.

LinkBack

Thread Tools

Display

Hard port blocking

Bookmarks

Bookmarks

Posting Permissions