ftp,ssh,http blocked by ISP?

[Bob Tennent]

For years I've used port-forwarding in my router to allow
external access to ftp, ssh, and http servers. Recently,
this no longer works. The servers are running normally and
can be accessed internally. I can even access them via the
router IP address, showing that port-forwarding is still
working. I've also tried port-fowarding and DMZ in the
modem, to no avail. So my conjecture is that the ISP has
decided to block packets it considers unworthy before they
reach the modem.

Is this at all likely? How can I test/confirm the
conjecture? If it is confirmed, what can I do? Needless to
say, ISP "technical support" has so far been useless.

Bob T.

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Just for giggles, is your gateway showing an IP address in RFC1918 or
RFC6598 space? Also if you're using DNS, is the DNS pointing at the
right IP address still (e.g. ISP hasn't handed out a new address instead
of what you've had in the past).


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAl8TDmIACgkQbWVw5Uzn
KGBcdhAAmKGOkc9iytbZ44anP3UzhAOHiZFExRAPfws7s7A8xxFIknXnQxdik83+
5LJS62RR1gcN8z6nHjwUUOtaDc8h0R5j0Z1aMjA+lu+gfn29mbJyYmtczGlnb6u5
xu7c4Cz8U9PSrfW0ObtuxeMioEeWqhEXZ8pASs1Z2MI5+IxrT1VOJMZUqT3JzWAH
ZbfXFnZWa/4uQtuyq0pQihqvhwUjrbGMj+6FYdcvCLTvsTgNG/xLS1rHE4Zf90sV
6BHrLQGoY7DSVdc+QJIE2yCw5GyvJ6pmgHOwAyFzrZkCgEkIlyC8bMS2zFvDdFLS
3Nom4UXOD9eLRfuAAtCIzps/YmY2LX2oIg+sPLxNEjFClrnCBZ5xM24LJ/XyyIAF
CNxWZticXMMrwpwYy9WoRBxlggVhcL2kCYRsOALT4DIV3mnH3l9ymmBC4cuPSqu8
p5JAgk9txDPoMiZv85cSeaZL75+IqAv6KrfOpqSoFBiWZOnVbcuYRBCE5SWSFdGD
gVpXvjWRAXswV2LAfIcLLhhZBYuw8kJkA7sYCIijFCuiWR0dauNfSmY+JJqkGTHY
2sKzZK7PU2TD39aeXCcq68dNT5kdgi+7Ub6B/Tlh3I872pSYK03aVJKpBGwMXD18
kCXTHnD8ivdpMuQD8YVbDprRrzYlkECaePJWPHXhQR59OJrKRrE=
=15SK
-----END PGP SIGNATURE-----

--
|_|O|_| Github: https://github.com/dpurgert
|_|_|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
|O|O|O| Former PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281

[Ken Hart]

Try this site for starters:
whatismybrowser.com
Click on "Detect my settings"
Go down to Detect Network/Internet Details
Click on "Is my ISP filtering my outgoing network ports?"

My "not at all in depth" research shows that some ISP's do block certain
ports. Maybe because of abuse in the past, maybe because they want to
sell you a more expensive package.


This site suggests changing your SSH port to 443, which is used for https:

https://www.digitalocean.com/community/questions/how-to-access-port-22-if-isp-has-blocked-port-22


This site suggests changing the port to a random port. The problem is
finally resolved (spoiler alert!) when the o. p. checks more deeply into
his modem/router and discovers that port 22 has to be set up manually.
BTW, I had to do this on my Netgear router from Frontier.

https://www.lowendtalk.com/discussion/40515/isp-blocks-ssh-port-22-workarounds

--
Ken Hart
kwh...@frontier.com

[William Unruh]

On 2020-07-18, Dan Purgert <d...@djph.net> wrote:


>
> Bob Tennent wrote:
>> For years I've used port-forwarding in my router to allow
>> external access to ftp, ssh, and http servers. Recently,
>> this no longer works. The servers are running normally and
>> can be accessed internally. I can even access them via the
>> router IP address, showing that port-forwarding is still
>> working. I've also tried port-fowarding and DMZ in the
>> modem, to no avail. So my conjecture is that the ISP has
>> decided to block packets it considers unworthy before they
>> reach the modem.
>>
>> Is this at all likely? How can I test/confirm the
>> conjecture? If it is confirmed, what can I do? Needless to
>> say, ISP "technical support" has so far been useless.
>
> Just for giggles, is your gateway showing an IP address in RFC1918 or
> RFC6598 space? Also if you're using DNS, is the DNS pointing at the
> right IP address still (e.g. ISP hasn't handed out a new address instead
> of what you've had in the past).

Just to amplify, can you ssh out to some server somewhere? Or you can go
to
https://portforward.com/networking/routers_ip_address.htm
and at the bottom of the page will be listed your router's external IP
address, the one you have to ssh/ftp/... to to get your port forwarding
done.
If, using that IP you get nothing from your router, make sure first that
your router's firewall is not blocking incoming packets to the say port
23 (ssh) .
As He says, remember that the ISP reserves the right to change that IP
address wihout warning. Thus you need some way of finding out that IP
address constantly and letting those machines that need to contact yours
what the IP address is of the router when it changes.
If you have set up your system to go through a vpn, then there is no way
that an outsider can get at your system. That is the purpose of a vpn.
You can sometimes add those external systems that need to get through to
you to the routing on your computer so that those addresses are not
routed through the vpn, but go directly so you can contact them when
your router ip address changes for them and change their own routing
tables.

>

[John McCue]

Bob Tennent <rdte...@tennent.ca> wrote:
> For years I've used port-forwarding in my router to allow
> external access to ftp, ssh, and http servers. Recently,
> this no longer works. The servers are running normally and
> can be accessed internally. I can even access them via the
> router IP address, showing that port-forwarding is still
> working. I've also tried port-fowarding and DMZ in the
> modem, to no avail. So my conjecture is that the ISP has
> decided to block packets it considers unworthy before they
> reach the modem.

Did your IP address change ?
Most cases for me, it would be a changed IP Address,
to fix you need to tie your MAC address to a specific
IP using whatever tool you ISP provides.

Comcast did make changes for me a while ago and
I had to go here to adjust:

https://internet.xfinity.com/network

[Bob Tennent]

On Sat, 18 Jul 2020 14:59:46 -0000 (UTC), Dan Purgert wrote:
>
> Bob Tennent wrote:
>> For years I've used port-forwarding in my router to allow
>> external access to ftp, ssh, and http servers. Recently,
>> this no longer works. The servers are running normally and
>> can be accessed internally. I can even access them via the
>> router IP address, showing that port-forwarding is still
>> working. I've also tried port-fowarding and DMZ in the
>> modem, to no avail. So my conjecture is that the ISP has
>> decided to block packets it considers unworthy before they
>> reach the modem.
>>
>> Is this at all likely? How can I test/confirm the
>> conjecture? If it is confirmed, what can I do? Needless to
>> say, ISP "technical support" has so far been useless.
>
> Just for giggles, is your gateway showing an IP address in RFC1918 or
> RFC6598 space?

I don't know what that means.

> Also if you're using DNS, is the DNS pointing at the
> right IP address still (e.g. ISP hasn't handed out a new
> address instead of what you've had in the past).

Yes. I use ddclient to keep the IP address up-to-date. In
any case, connecting directly to the (current) IP address
doesn't work either/

[Bob Tennent]

On Sat, 18 Jul 2020 11:12:47 -0400, Ken Hart wrote:
> On 7/18/20 8:38 AM, Bob Tennent wrote:
>> For years I've used port-forwarding in my router to allow
>> external access to ftp, ssh, and http servers. Recently,
>> this no longer works. The servers are running normally and
>> can be accessed internally. I can even access them via the
>> router IP address, showing that port-forwarding is still
>> working. I've also tried port-fowarding and DMZ in the
>> modem, to no avail. So my conjecture is that the ISP has
>> decided to block packets it considers unworthy before they
>> reach the modem.
>>
>> Is this at all likely? How can I test/confirm the
>> conjecture? If it is confirmed, what can I do? Needless to
>> say, ISP "technical support" has so far been useless.
>>
>> Bob T.
>>
>
> Try this site for starters:
> whatismybrowser.com
> Click on "Detect my settings"
> Go down to Detect Network/Internet Details
> Click on "Is my ISP filtering my outgoing network ports?"

The problem is *incoming* packets. Not necessarily from my
browser.

> My "not at all in depth" research shows that some ISP's do block certain
> ports. Maybe because of abuse in the past, maybe because they want to
> sell you a more expensive package.
>
> This site suggests changing your SSH port to 443, which is used for https:
>
> https://www.digitalocean.com/community/questions/
how-to-access-port-22-if-isp-has-blocked-port-22
>
> This site suggests changing the port to a random port. The problem is
> finally resolved (spoiler alert!) when the o. p. checks more deeply into
> his modem/router and discovers that port 22 has to be set up manually.
> BTW, I had to do this on my Netgear router from Frontier.
>
> https://www.lowendtalk.com/discussion/40515/
isp-blocks-ssh-port-22-workarounds

I use 22xx as both the incoming port and the port used by
sshd. Has been working for years. Similar apparent blocking
issues with ftp and http, though I use standard port numbers
for them

[Tauno Voipio]

SSH is port 22. Port 23 is Telnet, which should NOT be publicly visible.

--

-TV

[Lew Pitcher]

On July 18, 2020 08:38, Bob Tennent wrote:

> For years I've used port-forwarding in my router to allow
> external access to ftp, ssh, and http servers. Recently,
> this no longer works. The servers are running normally and
> can be accessed internally. I can even access them via the
> router IP address, showing that port-forwarding is still
> working. I've also tried port-fowarding and DMZ in the
> modem, to no avail. So my conjecture is that the ISP has
> decided to block packets it considers unworthy before they
> reach the modem.
>
> Is this at all likely?

Yes, it is likely. Many big ISPs block "server" ports, especially
on their "consumer"-level offerings. It is possible that your
ISP has changed their policy, and is now blocking ports.

> How can I test/confirm the conjecture?

You could portscan your internet-facing IP address from outside
your lan. You could use
https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap
or
https://www.grc.com/x/ne.dll?bh0bkyd2

> If it is confirmed, what can I do?

Either
- move your services to ports not blocked by your ISP, or
- lease a commercial-level offering from your ISP, or
- get a new ISP

> Needless to say, ISP "technical support" has so far been useless.

Yah. And, if the ISP has a policy (see their "Terms Of Use")
of not permitting their clients to have servers, you /might/
run into a bit of "contract trouble" with your ISP if their
technical support reports you.

--
Lew Pitcher
"In Skills, We Trust"

[Bob Tennent]

On Sat, 18 Jul 2020 13:26:11 -0400, Lew Pitcher wrote:
>
>> How can I test/confirm the conjecture?
>
> You could portscan your internet-facing IP address from outside
> your lan. You could use
> https://pentest-tools.com/network-vulnerability-scanning/
tcp-port-scanner-online-nmap

That looks promising but the free scan at least gives up if
pings are blocked. A ping-free scan is mentioned but I don't
know how to enable it.

Could I install nmap on a cloud computer and scan with that?

[Lew Pitcher]

Certainly. Most of the portscan websites that I've looked into use nmap
under the covers.

[Bob Tennent]

OK, done. But man nmap is completely incomprehensible to me. I know
pings are blocked so I need -Pn. When I do nmap -Pn myhost I get

998 filtered ports
22/tcp closed
50001 open

I could move my ftp and http stuff to the cloud computer.
That leaves ssh as the only essential service. If assume 22
and 22xx are blocked, could I use 50001 as my ssh port?

[William Unruh]

On 2020-07-18, Tauno Voipio <tauno....@notused.fi.invalid> wrote:
>
> SSH is port 22. Port 23 is Telnet, which should NOT be publicly visible.

Of course you are right. Sorry.
>

[William Unruh]

You can use any number you want as your ssh port (of course if it is the
number of some crucial service then that could cause trouble) Then on
your router port forward that port to the computer/port you actually want to use.

So, in your router port forward port 7916 to port 22 on your own
machine. Then have your remote machines connect via ssh to port 7916.
ssh -p 7916 <address of your router>

[David W. Hodgins]

On Sat, 18 Jul 2020 18:13:07 -0400, William Unruh <un...@invalid.ca> wrote:
> So, in your router port forward port 7916 to port 22 on your own
> machine. Then have your remote machines connect via ssh to port 7916.
> ssh -p 7916 <address of your router>

Since I switched from an adsl connection to a cable connection, I found my isp
also blocks incoming tcp connections on ports less than 1025.

The approach I use for ssh is to have my router set to forward a range of ports
to the system where I run sshd and other servers.

In /etc/ssh/sshd_config I have a line with "Port 33333" so sshd listens on that
port.

On the the system that connects to my sshd server, in the user's .ssh/config
file I have ...
Host mine
Hostname my.host.name
Port 33333
User dave
ServerAliveInterval 120

So when "ssh mine" is run on the system connecting to my sshd server, it connects
to tcp port 33333 on the system identified by the hostname my.host.name.

I use an actual name rather then my.host.name, and a port other then 33333.

The dns for my system is set up using dyndns, and the ssh connection is set up
as part of using autossh, to allow me to use a reverse ssh connection to access
the remote system, so the configs are a bit more complicated than the above, but
it should give an idea of one way to set things up.

One way to confirm the standard ports are blocked is using Shield up from
https://www.grc.com/intro.htm to have it run an nmap scan of your system.

Regards, Dave Hodgins

--
Change dwho...@nomail.afraid.org to davidw...@teksavvy.com for
email replies.

[Bob Tennent]

On Sat, 18 Jul 2020 22:13:07 -0000 (UTC), William Unruh wrote:
>>
>> OK, done. But man nmap is completely incomprehensible to me. I know
>> pings are blocked so I need -Pn. When I do nmap -Pn myhost I get
>>
>> 998 filtered ports
>> 22/tcp closed
>> 50001 open
>>
>> I could move my ftp and http stuff to the cloud computer.
>> That leaves ssh as the only essential service. If assume 22
>> and 22xx are blocked, could I use 50001 as my ssh port?

> You can use any number you want as your ssh port (of
> course if it is the number of some crucial service then
> that could cause trouble) Then on your router port
> forward that port to the computer/port you actually want
> to use.

I know how to port-forward, use non-standard ports,
configure sshd, etc. My question is: if nmap says 50001 is
"open", can I use that as a non-standard port for ssh
without being blocked by my ISP? And I don't know what "998
filtered ports" means. And can nmap confirm that ftp and
http and even a non-standard port like 22xx for ssh are
blocked?

[David W. Hodgins]

On Sat, 18 Jul 2020 21:40:28 -0400, Bob Tennent <rdte...@tennent.ca> wrote:
> I know how to port-forward, use non-standard ports,
> configure sshd, etc. My question is: if nmap says 50001 is
> "open", can I use that as a non-standard port for ssh
> without being blocked by my ISP? And I don't know what "998
> filtered ports" means. And can nmap confirm that ftp and
> http and even a non-standard port like 22xx for ssh are
> blocked?

No. If nmap says the port is already open, then it's in use by some other
service.

From nmap output of another computer on my lan, it has ...
993/tcp open imaps

That means the port is has already been opened by the imaps daemon on that
system, which responded to the nmap tcp syn packet.

When an isp blocks incoming new tcp connections, they normally only block
tcp ports 1 to 1024, the standard range used by servers.

[Giovanni]

I would check if your ISP ha changed its policies. The range of
available IP addresses is getting a very precious resource. Most ISPs
masquerade their clients behind a large private network and, in such
cases, access to private services is not possible.

My provider, both for adsl and for mobile, has different policies and
supplies a 10.x.x.x IP for mobile and a public IP (in the range
151.x.x.x) for adsl. In the latter case my web server is a public
server and is accessible to anybody in the world but how long this
situation will last I can't control.

For most users this is a useful service because they are protected by
attacks but I'm afraid of the possibility I'll loose access from
external world. I'm waiting for ISP to implement ipv6 to overcome the
shortage of IP addresses.

Ciao
Giovanni
--
A computer is like an air conditioner,
it stops working when you open Windows.
< http://giovanni.homelinux.net/ >

[Carlos E.R.]

On 19/07/2020 01.36, David W. Hodgins wrote:
> On Sat, 18 Jul 2020 18:13:07 -0400, William Unruh <un...@invalid.ca> wrote:
>> So, in your router port forward port 7916 to port 22 on your own
>> machine. Then have your remote machines connect via ssh to port 7916.
>> ssh -p 7916 <address of your router>
>
> Since I switched from an adsl connection to a cable connection, I found
> my isp
> also blocks incoming tcp connections on ports less than 1025.

I find that manipulation bewildering. My ISP has its quirks, but it
doesn't block any port at all. Not even 25. I am a plain home customer...

It does GNAT on phones, though, which of course impedes any incoming
connection.

--
Cheers, Carlos.

[Carlos E.R.]

On 19/07/2020 03.40, Bob Tennent wrote:
> On Sat, 18 Jul 2020 22:13:07 -0000 (UTC), William Unruh wrote:
> >>
> >> OK, done. But man nmap is completely incomprehensible to me. I know
> >> pings are blocked so I need -Pn. When I do nmap -Pn myhost I get
> >>
> >> 998 filtered ports
> >> 22/tcp closed
> >> 50001 open
> >>
> >> I could move my ftp and http stuff to the cloud computer.
> >> That leaves ssh as the only essential service. If assume 22
> >> and 22xx are blocked, could I use 50001 as my ssh port?
>
> > You can use any number you want as your ssh port (of
> > course if it is the number of some crucial service then
> > that could cause trouble) Then on your router port
> > forward that port to the computer/port you actually want
> > to use.
>
> I know how to port-forward, use non-standard ports,
> configure sshd, etc. My question is: if nmap says 50001 is
> "open", can I use that as a non-standard port for ssh
> without being blocked by my ISP?

No. nmap is telling you that something is using and responding already
on port 50001

> And I don't know what "998
> filtered ports" means. And can nmap confirm that ftp and
> http and even a non-standard port like 22xx for ssh are
> blocked?

Weird, but your ISP might be examining traffic and blocking ports /he/
knows /you/ use.

--
Cheers, Carlos.

[Marc Haber]

Most likely they have moved your setup to something that is called
"Carrier Grade NAT" which makes it impossible to reach your home setup
from the Internet if none of your internal systems has actively
initiated the connection. This saves precious IPv4 addresses but makes
it impossible to run servers at your home.

The same way you have established the port-forwarding in your router,
they would have to establish port-forwarding from their Carrier Grade
NAT device to your router. Nearly no ISP actually offers this service.

This is what we got (and deserved!) by ignoring the IPv4-Internet
getting full and missing the IPv6 in the last two decades. And now
we're complaining about that.

Maybe if you yell loud enough they might move you back to an
exclusively assigned IPv4 address (some ISPs in Germany actually do
that on request), but you might be out of luck here.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

[William Unruh]

IF that is the case, then you could establish an ssh tunnels to a
computer which was outside ISP domain. Unfortunately, AFAIK the tunnel
is port specific. Ie, only one port per tunnel. So if you want to tunnel
ssh, ftp, http you would have to have three tunnels AFAIK.
You could use autossh to do so (which would reestablish the tunnel if
for some reason the ssh link died).

Anyone wanting to get at your location would then have to connect to the
appropriate port on the remote machine which would send the information
over the ssh link to your machine.

If you have no machine outside the ISP domain with its own valid
address, then you would be out of luck.
By looking at the address assigned to your router by the ISP you can
tell if they are NATing you. If it is an address in the ranges
10.x.x.x, 192.168.x.x, 172.172.16.0.0 – 172.31.255.255, then that is
what they are doing to you. If it is a valid public address, then not.

If you can log onto your router, then you can usually find out what its
outside address is. (In this case the trick of going to one of the sites
that tells you where your connection came from would not work since all
it would know is that it came from the ISP, not which of the
computers/routers it came from)

>
> Greetings
> Marc

[Bob Tennent]

On Sun, 19 Jul 2020 17:35:40 -0000 (UTC), William Unruh wrote:

> By looking at the address assigned to your router by the ISP you can
> tell if they are NATing you. If it is an address in the ranges

> 10.x.x.x, 192.168.x.x, 172.172.16.0.0 ??? 172.31.255.255, then that is

> what they are doing to you. If it is a valid public address, then not.
>
> If you can log onto your router, then you can usually find out what its
> outside address is. (In this case the trick of going to one of the sites
> that tells you where your connection came from would not work since all
> it would know is that it came from the ISP, not which of the
> computers/routers it came from)

According to whatismyip.org, my IP address is in the range
142.116.xxx.xxx and that agrees with what the modem says. Is
that the "outside address"?

[William Unruh]

Yes. At that point it is hard to say what would be doing the port
filtering. It would almost have to be in the modem, since it is hard
(not impossible) to see where the filtering would take place.
Do you have access to an outside machine (ie away from your ISP)?
What do you get if you do
telnet 142.116.123.234 22
(where that address should be your router address)?
Or If you are port forwarding to port 22 on your inside machine, try
telnet 142.116.123.234 2276
(where 2276 is the port you are forwarding from)

[David W. Hodgins]

On Sun, 19 Jul 2020 22:33:54 -0400, Bob Tennent <rdte...@tennent.ca> wrote:
> According to whatismyip.org, my IP address is in the range
> 142.116.xxx.xxx and that agrees with what the modem says. Is
> that the "outside address"?

That's a public (aka outside) address. Depending on what the xxx.xxx really are
it's either a direct allocation to Bell Canada, or an allocation Bell has made
to Virgin Home Ontario.

[David W. Hodgins]

On Sun, 19 Jul 2020 22:33:54 -0400, Bob Tennent <rdte...@tennent.ca> wrote:

> According to whatismyip.org, my IP address is in the range
> 142.116.xxx.xxx and that agrees with what the modem says. Is
> that the "outside address"?

Your ip address is owned by virginmobile.ca

Running an intense stealth nmap scan of your ip address shows ...
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
50001/tcp open ssl/http lighttpd

The 998 filtered ports did not respond to the syn packets. The ssh port did respond
to the syn packet, but not a tcp packet. The http port responded to both.

No response in a browser (tried lynx) to http://your.ip.address, so the web
server is either not running, or not set up to respond to a direct by ip address
connection.

I think the router is not set up to forward the packets to the computer being
used, for the ssh service.

[Bob Tennent]

On Sun, 19 Jul 2020 23:46:56 -0400, David W. Hodgins wrote:
> On Sun, 19 Jul 2020 22:33:54 -0400, Bob Tennent <rdte...@tennent.ca> wrote:
>
>> According to whatismyip.org, my IP address is in the range
>> 142.116.xxx.xxx and that agrees with what the modem says. Is
>> that the "outside address"?
>
> Your ip address is owned by virginmobile.ca
>
> Running an intense stealth nmap scan of your ip address shows ...
> Not shown: 998 filtered ports
> PORT STATE SERVICE VERSION
> 22/tcp closed ssh
> 50001/tcp open ssl/http lighttpd
>

> The 998 filtered ports did not respond to the syn
> packets. The ssh port did respond to the syn packet, but
> not a tcp packet. The http port responded to both.
>
> No response in a browser (tried lynx) to
> http://your.ip.address, so the web server is either not
> running, or not set up to respond to a direct by ip
> address connection.
>
> I think the router is not set up to forward the packets
> to the computer being used, for the ssh service.

Well I had deleted the virtual-server configuration. I've
restored it now.

sshd, vsftpd and thttpd are all running and accessible
locally.

No idea about lighttpd. Maybe it's running in the router?

[Giovanni]

On 07/20/2020 04:33 AM, Bob Tennent wrote:

> According to whatismyip.org, my IP address is in the range
> 142.116.xxx.xxx and that agrees with what the modem says. Is that the
> "outside address"?

Yes It is your outside address but that does not mean that it is the
ip address assigned to your router. You should try to read the address
directly from your router. If you are behind a big nat network, your
router has a different address from 142.116.xxx.xxx

[Bob Tennent]

On Mon, 20 Jul 2020 09:10:34 +0200, Giovanni wrote:
> On 07/20/2020 04:33 AM, Bob Tennent wrote:
>
>> According to whatismyip.org, my IP address is in the range
>> 142.116.xxx.xxx and that agrees with what the modem says. Is that the
>> "outside address"?
>
> Yes It is your outside address but that does not mean that it is the
> ip address assigned to your router. You should try to read the address
> directly from your router. If you are behind a big nat network, your
> router has a different address from 142.116.xxx.xxx

I have both a modem and a router. The modem says its IP address is
142.116... and the router's address is internal: 192.168.0.11.
So it seems I'm not "behind a big nat network" yet ftp,ssh,http are
being blocked somewhere.

[Tauno Voipio]

Are you mixing up a router and a switch? If the 'router' has all the
ports in the same internal network, it must be a switch.

If the router is connected to two (or more) different subnets, you
do need to have a path from the modem to the hosts having the servers.

Also, you need to have the port forwarding for all the services in
the modem, which obviously does a NAT.

--

-TV

[Bob Tennent]

On Mon, 20 Jul 2020 17:49:56 +0300, Tauno Voipio wrote:
> On 20.7.20 14.31, Bob Tennent wrote:
>> On Mon, 20 Jul 2020 09:10:34 +0200, Giovanni wrote:
>> > On 07/20/2020 04:33 AM, Bob Tennent wrote:
>> >
>> >> According to whatismyip.org, my IP address is in the range
>> >> 142.116.xxx.xxx and that agrees with what the modem says. Is that the
>> >> "outside address"?
>> >
>> > Yes It is your outside address but that does not
>> > mean that it is the ip address assigned to your
>> > router. You should try to read the address directly
>> > from your router. If you are behind a big nat
>> > network, your router has a different address from
>> > 142.116.xxx.xxx
>>
>> I have both a modem and a router. The modem says its IP address is
>> 142.116... and the router's address is internal: 192.168.0.11.
>> So it seems I'm not "behind a big nat network" yet ftp,ssh,http are
>> being blocked somewhere.

> Are you mixing up a router and a switch? If the 'router'
> has all the ports in the same internal network, it must
> be a switch.

I just connect what I call the router to the modem and all
the internal devices connect to the "router", whether wired
or wireless. In the past I configured virtual servers on
the "router" and it worked. I don't believe I configured
port forwarding on the modem as well but I may have just
forgotten about it.

> Also, you need to have the port forwarding for all the
> services in the modem, which obviously does a NAT.

Well I can try that but the modem has a 192.168.2.1
address and the "router" and all the internal devices have
192.168.0.x addresses. Do I forward the relevant ports to
the "router" or to the actual server system?

[Tauno Voipio]

T keep thinga straight, the "router" is a real router between
two different subnets (192.168.0.x and 192.168.2.x), unless
you are having a wide netmask covering both (e.g. 255.255.0.0).

If you can tell the modem's port forwarding that the targets are
in a different subnet, it is all OK to send directly.

The setup seems too complicated to me, but you may have a good
reason for it.

--

-TV

[Bit Twister]

On Mon, 20 Jul 2020 15:32:46 -0000 (UTC), Bob Tennent wrote:
>

> Well I can try that but the modem has a 192.168.2.1
> address and the "router" and all the internal devices have
> 192.168.0.x addresses. Do I forward the relevant ports to
> the "router" or to the actual server system?

In a single "router" setup you forward the port to the target system/ip.

In my setup, I have 3 computers so I have my router forward
ssh port 40100 to port 22 192.168.0.100
ssh port 40200 to port 22 192.168.0.200
ssh port 40300 to port 22 192.168.0.300
All nodes can ssh to each other on port 22.

Now if I am at my neighbors house and want to copy a file or two from
my home I would do a
scp -P 40200 xx $LOGNAME@bit:$PWD/some_fn some_fn

If wanting to use rsync it would be
rsync -aAHSXxv --rsh="ssh -p 40200" --delete $LOGNAME@bit:$PWD/some_fn some_fn

If I want to log into my system it would be
ssh -p 40200 $LOGNAME@bit

In my case I have two routers, my LAN router and ISP router.
LAN router is configured as above, and the ISP router is configured
to forward all services and ports to the same service and ports
to the LAN ip address.

Firewalls on my nodes will only accept ssh connections from
known ip addresses on the 40x00 port, and only lan ip addresses on
the ssh port.

[William Unruh]

On 2020-07-20, Bob Tennent <rdte...@tennent.ca> wrote:

?? The modem is the important thing. It has to know where to send stuff
to (what MAC address to use to deliver the packets) The modem should
have both an internal address, and an external address.
It would really really help if you remembered that we have no idea what
your setup is except what you tell us. The more infomation you give us,
the more easily we can help you. If we have to guess, we are liable to
guess wrongly and send you racing after ghosts. How is your system set
up? draw a line art diagram. What are the various addresses you have.

[Bob Tennent]

Thanks, but everything had been working fine for years until
a week ago when suddenly ftp, ssh, http were no longer
working from outside. I've verified that they do work
internally. So I conjecture that the relevant ports are now
being blocked by my ISP and all I want is a way to confirm
that. There's no use trying to re-configure the internal
network if the problem is elsewhere so I can't tell what
does or does not work.

[William Unruh]

The way you confirm that is by trying and failing. Unfortunately that
does not discriminate between their blocking it, and a misconfiguration
on your part which is why you must eliminate that possibility first.

Since your modem sends everything it gets to the what you call the
router, and your router has its incoming address on your network, you
can perhps use tcpdump to look at the traffic flowing from the modem to
the router, and seeing if there is any evidence that the packets you
want are travelling between the modem and the router. If they are, then
your router, or the way you have set it up, is the problem.
Since your modem has a definite, not NAT IP address accessible from
outside, it is highly unlikely that your ISP is blocking access to what
you call the modem to those ports. And since you do not have access to
the network that that outside addreess of the modem is on, you cannot
monitor the traffic on that part of the network to see is the packets
are reaching the modem. So you will have to get onto techical support
for BELL or Virgin to see if they have blocked access to those ports in
the modem. Phone them and if you get brushed off by the tech support
personel ask to speak to a supervisor, and do not take "I do not know"
as an answer.
I had Shaw and now Telus as ISPs, and neither block ingoing ports.
Of course neither is Bell or Virgin, so their practice does not say much
about Bell/Virgin (whichone is it by the way?)

[David W. Hodgins]

On Mon, 20 Jul 2020 02:01:41 -0400, Bob Tennent <rdte...@tennent.ca> wrote:
> No idea about lighttpd. Maybe it's running in the router?

That may have been a guess by nmap when the port is open, but no info is
being returned to indicate which http server is being used.

[Bob Tennent]

Virgin Mobile in Canada was independent at one time and was
bought by Bell. They offer a somewhat lower-cost service
using Bell fiber and infrastructure.

I've tried taking the router out of the equation by
connecting a laptop directly to the modem and forwarding
the relevant ports to it. Of course, it doesn't work. As
far as I'm concerned, that eliminates the possibility of
"mis-configuration" explaining the problem.

[dyrmak]

En 62 lignes Bob Tennent a écrit
dans news:rf5hog$q54$1...@dont-email.me
le mardi, 21 juillet 2020 à 03:52:16 :

>
> I've tried taking the router out of the equation by
> connecting a laptop directly to the modem and forwarding
> the relevant ports to it. Of course, it doesn't work. As
> far as I'm concerned, that eliminates the possibility of
> "mis-configuration" explaining the problem.
>

The modem is still in the equation and it might be the faulty one,
I had a tp-link router hooked to an ethernet modem and at some
point the apache wasn't reached anymore, had to put the old modem
router back to service and hooked the tp-link in switch mode
all the services were back again from the outside, so much
for this ethernet modem, I would have liked to replace it
with another one, but have not found one yet.

( In my case, port forwarding and virtual hosts are hooked
to the old modem-router, wifi connections and other computers
hooked through tp-link in switch mode )

dyrmak
--
No hay otro camino
++++ --- ++++
Linux operating system
++++ --- ++++

[Bob Tennent]

On Sat, 18 Jul 2020 12:38:26 -0000 (UTC), Bob Tennent wrote:
> For years I've used port-forwarding in my router to allow
> external access to ftp, ssh, and http servers. Recently,
> this no longer works. The servers are running normally and
> can be accessed internally. I can even access them via the
> router IP address, showing that port-forwarding is still
> working. I've also tried port-fowarding and DMZ in the
> modem, to no avail. So my conjecture is that the ISP has
> decided to block packets it considers unworthy before they
> reach the modem.
>
> Is this at all likely? How can I test/confirm the
> conjecture? If it is confirmed, what can I do? Needless to
> say, ISP "technical support" has so far been useless.

The situation has gotten worse. I set up an ftp server on
an AWS computer and it seems I can connect to it and even
navigate through the directories, but listing directory
contents and getting files does not work: Data connection
timed out. I've stopped the internal firewall and opened
ports 20-23 on the AWS firewall.

[Giovanni]

On 07/21/2020 12:34 PM, Bob Tennent wrote:

> I can connect to it and even navigate through the directories, but
> listing directory contents and getting files does not work: Data
> connection timed out.

FTP requires a properly configured firewall. You have to configure your
firewall and use FTP in passive mode.

I assume that you are using a modern linux distribution so check for the
'nf_conntrack_ftp' module that can keep track and accept the connections
required by the FTP protocol.

[Bob Tennent]

On Tue, 21 Jul 2020 13:48:37 +0200, Giovanni wrote:
> On 07/21/2020 12:34 PM, Bob Tennent wrote:

>> I can connect to it and even navigate through the
>> directories, but listing directory contents and getting
>> files does not work: Data connection timed out.

> FTP requires a properly configured firewall. You have to
> configure your firewall and use FTP in passive mode.

I'd stopped the internal firewall thinking it would avoid
problems but I guess that was a mistake. I just have
to figure out how to configure the firewall using the
command-line tool.

What does using FTP in passive mode mean?

> I assume that you are using a modern linux distribution
> so check for the 'nf_conntrack_ftp' module that can keep
> track and accept the connections required by the FTP
> protocol.

Is that a kernel module? Wouldn't vsftpd set that up?

Bob T.

[Carlos E.R.]

On 21/07/2020 15.35, Bob Tennent wrote:
> On Tue, 21 Jul 2020 13:48:37 +0200, Giovanni wrote:
> > On 07/21/2020 12:34 PM, Bob Tennent wrote:
>
> >> I can connect to it and even navigate through the
> >> directories, but listing directory contents and getting
> >> files does not work: Data connection timed out.
>
> > FTP requires a properly configured firewall. You have to
> > configure your firewall and use FTP in passive mode.
>
> I'd stopped the internal firewall thinking it would avoid
> problems but I guess that was a mistake. I just have
> to figure out how to configure the firewall using the
> command-line tool.
>
> What does using FTP in passive mode mean?

Eumm... better read the wikipedia.

The basic difference with FTP is that it uses two ports: one for
control, another for data. This second port is not fixed, and can be
created on the server or on the client - and depending on that, it is
called active or passive ftp

<https://en.wikipedia.org/wiki/File_Transfer_Protocol>

>
> > I assume that you are using a modern linux distribution
> > so check for the 'nf_conntrack_ftp' module that can keep
> > track and accept the connections required by the FTP
> > protocol.
>
> Is that a kernel module? Wouldn't vsftpd set that up?

No.


--
Cheers, Carlos.

[Carlos E.R.]

On 29/07/2020 06.26, Johann Beretta wrote:

> On 7/19/20 3:56 AM, Carlos E.R. wrote:
>
>>
>> I find that manipulation bewildering. My ISP has its quirks, but it
>> doesn't block any port at all. Not even 25. I am a plain home customer...
>>
>> It does GNAT on phones, though, which of course impedes any incoming
>> connection.
>>
>

> Failure to block port 25 (outbound) on dynamic or home connections is
> one of the criteria for ending up on a SORBS type list.
>
> Any ISP that fails to block that outbound port (opening up at a
> customer's request is fine) by default isn't "awesome" it makes them
> a-holes.

AFAIK no ISP in Spain blocks that port, or any port for that matter. Nor
outgoing, nor incoming. You can fight spammers differently, without
assuming everybody is a criminal. Works fine.

In fact, mail to my ISP server is sent over 25, the submission port is
closed.

--
Cheers, Carlos.

[Carlos E.R.]

On 02/08/2020 06.22, Johann Beretta wrote:

> On 7/29/20 1:40 AM, Carlos E.R. wrote:
>
>>> a-holes.
>>
>> AFAIK no ISP in Spain blocks that port, or any port for that matter. Nor
>> outgoing, nor incoming. You can fight spammers differently, without
>> assuming everybody is a criminal. Works fine.
>>
>> In fact, mail to my ISP server is sent over 25, the submission port is
>> closed.
>>
>

> You need not assume anyone is a criminal. That's a hell of a leap. But
> it is a simple fact that home computers are infected by malware to a
> fairly high percentage.
>
> There's no damn reason that port 25 shouldn't be closed by default. I
> have no problem with an ISP opening port 25 for a customer who requests
> it, but to assume that any percentage of the general population is going
> to go through the trouble of setting up a mail server, for personal use,
> is idiotic.
>
> Twenty or thirty years ago, sure.. fine.. Most people on the 'net back
> then were much more computer savvy.. But it has become a commodity today.
>
> For fuck's sake, most people never even bother to change the password on
> their own wireless router. You think they need port 25 open by default?
>
> The only thing coming out of Port 25, for some fairly large chunk of the
> populace, is SPAM and not a single goddamn other thing....

Well, in Spain everybody needs to use port 25 to send mail legally and
normally, because that's how the mail servers at the ISP are setup. My
ISP refuses to set up the submission port at their side.

>
> If ISPs in Spain aren't blocking port 25 as a rule, then they're all
> assholes.

Oh, thankyou.

>
> Seriously man, what percentage need 25 open? 1%? 0.01%?

Everybody that sends mail here using a tool like Thunderbird or Outlook.

And there are no more problems with spam that elsewhere. Just try to
send spam mail directly via the open port 25, it simply fails.

--
Cheers, Carlos.

[Carlos E.R.]

On 03/08/2020 22.57, Johann Beretta wrote:

> On 8/2/20 4:16 AM, Carlos E.R. wrote:
>
>>
>> Well, in Spain everybody needs to use port 25 to send mail legally and
>> normally, because that's how the mail servers at the ISP are setup. My
>> ISP refuses to set up the submission port at their side.
>

> And that refutes what I said how? Sure, you connect to your ISP's
> server at port 25. But that's still INSIDE the ISP's network.. They
> shouldn't have 25 open to the world.

I also connect to gmail to send email using port 25 from Spain just
fine. Of course I use Internet, not my ISP "inside" network.

>>> If ISPs in Spain aren't blocking port 25 as a rule, then they're all
>>> assholes.
>>
>> Oh, thankyou.
>>
>>>
>>> Seriously man, what percentage need 25 open? 1%? 0.01%?
>>
>> Everybody that sends mail here using a tool like Thunderbird or >Outlook.
>

> Bullshit. You apparently don't understand how email works. Port 25 does
> not need to be open to the OUTSIDE world.

It is your opinion.

I do understand it quite well.

If you resort to insulting or SHOUTING, then you lose the discussion.
You do not have reasons.

I could say instead that blocking port 25 is stupid and goes against
liberty and things about assholes. But I will not.

--
Cheers, Carlos.