Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

What ports to open

0 views
Skip to first unread message

Clint Sharp

unread,
Dec 7, 2003, 4:31:40 PM12/7/03
to
Hi, just wondered if anyone knows the how Turnpike authenticates and
identifies Demon when you connect to collect news/mail?

I'm trying to poke a hole through a firewall to allow Turnpike to be
used. Ethereal shows TCP port 7753 as the destination for the
authentication but the source port changes every time I ask Turnpike to
connect.
--
Clint

Simon Waters

unread,
Dec 8, 2003, 12:59:34 AM12/8/03
to
Clint Sharp wrote:
> Hi, just wondered if anyone knows the how Turnpike authenticates and
> identifies Demon when you connect to collect news/mail?

AFAIK

POP3 includes authentication on the port 110 conversation.

NNTP for Demon is authenticated based on your IP address, and I assme
all to destination port 119.

> I'm trying to poke a hole through a firewall to allow Turnpike to be
> used. Ethereal shows TCP port 7753 as the destination for the
> authentication but the source port changes every time I ask Turnpike to
> connect.

No idea what port 7753 is, but I'm not reading this in the Turnpike
group. Where is it trying to contact?

Using a "random" source port (above 1023) is normal IP behaviour. Only
weird things like old BIND servers, and Unix print servers use the same
source port as destination port.

Clint Sharp

unread,
Dec 8, 2003, 4:32:38 PM12/8/03
to
In message <br1408$pr5$1$8300...@news.demon.co.uk>, Simon Waters
<Si...@wretched.demon.co.uk> writes

>Clint Sharp wrote:
>> Hi, just wondered if anyone knows the how Turnpike authenticates and
>> identifies Demon when you connect to collect news/mail?
The POP3, NNTP and all other ports connect just fine, I can use other
mail/news clients with no problems, it's just Turnpike that refuses to
acknowledge that it's being used on Demon

>> I'm trying to poke a hole through a firewall to allow Turnpike to be
>> used. Ethereal shows TCP port 7753 as the destination for the
>> authentication but the source port changes every time I ask Turnpike to
>> connect.
>
>No idea what port 7753 is, but I'm not reading this in the Turnpike
>group. Where is it trying to contact?
>
Looks like 194.159.253.2:7753, auth-finch-2.server.demon.net.
On a successful connect this server returns my IP and service class so I
guess it's checking whether I'm using Turnpike with Demon or some other
ISP, if the connect fails to 194.159.253.2:7753 then it tells me I need
a universal site key.

>Using a "random" source port (above 1023) is normal IP behaviour. Only
>weird things like old BIND servers, and Unix print servers use the same
>source port as destination port.
>
Kind of makes it awkward to lock down outgoing traffic if it uses a
different port every time. I could be just being paranoid but I like the
idea of being able to lock down my outgoing IP traffic to the ports I
know and love.
Makes it hard for some nasty software to dial home. All the other source
ports are standard, this is the only oddball. I guess I could work it on
destination address but that might make life difficult if the server
gets moved, have to check if the filter rules will allow FQDNs I
suppose.

I could also ditch Turnpike and use one of the other (non-MS) news/mail
readers, it's just another little quirk that makes my life more
difficult than it should be.
--
Clint

Paul Terry

unread,
Dec 9, 2003, 2:29:30 AM12/9/03
to
In message <fBYkECB23O1$Ew...@clintsmc.demon.co.uk>, Clint Sharp
<cl...@clintsmc.demon.co.uk> writes

>Kind of makes it awkward to lock down outgoing traffic if it uses a
>different port every time.

http://www.google.co.uk/groups?selm=8zGMaiBbYlb2EAcE%40turnpike.com

suggests that you may need to enable ports 7750, 7753 and 7758.

--
Paul Terry

Simon Waters

unread,
Dec 9, 2003, 1:52:09 PM12/9/03
to
Clint Sharp wrote:
> In message <br1408$pr5$1$8300...@news.demon.co.uk>, Simon Waters
> <Si...@wretched.demon.co.uk> writes
>
>> Using a "random" source port (above 1023) is normal IP behaviour. Only
>> weird things like old BIND servers, and Unix print servers use the same
>> source port as destination port.
>>
> Kind of makes it awkward to lock down outgoing traffic if it uses a
> different port every time. I could be just being paranoid but I like the
> idea of being able to lock down my outgoing IP traffic to the ports I
> know and love.

Your not paranoid, at least not in this regard.

Many people regard the "right" way to firewall a network is to inspect
the packets, or proxy the connection, to ensure that port 80 traffic
really is HTTP, and not just someone taking advantage of the hole in the
firewall to tunnel secrets out, or nasties in.

Similarly you can get personal firewall software for MS Windows that
will only allow 'approved' software to make specific outgoing
connections e.g.;

Outlook allowed to send to port 25 at "post" and port 110 at "pop3".
Internet Explorer allowed to send to port 80 anywhere.

Whether such an approach will survive the development, and integration
of desktop software is unclear.

I don't have hands on experience with these types of personal firewall
products, but the idea makes a lot of sense if you are concerned about
the consequences of malware infestation, and not just avoiding it in the
first place. My concern is the average user probably wouldn't know when
to say "No" to the helpful pop-up messages, and there may be better ways
of securing computers.

Clint Sharp

unread,
Dec 10, 2003, 6:09:50 PM12/10/03
to
In message <br55l5$a9b$1$8300...@news.demon.co.uk>, Simon Waters
<Si...@wretched.demon.co.uk> writes

>> Kind of makes it awkward to lock down outgoing traffic if it uses a
>> different port every time. I could be just being paranoid but I like the
>> idea of being able to lock down my outgoing IP traffic to the ports I
>> know and love.
>
>Your not paranoid, at least not in this regard.
So they might still be out to get me?

>
>Many people regard the "right" way to firewall a network is to inspect
>the packets, or proxy the connection, to ensure that port 80 traffic
>really is HTTP, and not just someone taking advantage of the hole in the
>firewall to tunnel secrets out, or nasties in.
I'm not rich enough to have stateful packet inspection in hardware.

>
>Similarly you can get personal firewall software for MS Windows that
>will only allow 'approved' software to make specific outgoing
>connections e.g.;
Yeah, Zonealarm et al, it's OK, but it's another service eating
resources, I run several almost trailing edge systems so resources are
to be rationed. I can limit the outgoing traffic to the 'usual' ports
and the unusual stuff I can allow only to/from certain IP address ranges
with the filtering on my router, I'll have to resign myself to
tracerting the servers if and when Demon move them to different IPs as a
FQDN doesn't seem to work in a firewall rule.

>Outlook allowed to send to port 25 at "post" and port 110 at "pop3".
>Internet Explorer allowed to send to port 80 anywhere.
>
>Whether such an approach will survive the development, and integration
>of desktop software is unclear.

One of the reasons for wanting something away from the desktop
environment. Smoothwall or IP cop look promising as well, but my space
is limited, I might have to move into the loft!


>
>I don't have hands on experience with these types of personal firewall
>products, but the idea makes a lot of sense if you are concerned about
>the consequences of malware infestation, and not just avoiding it in the
>first place.

Well, locking down outgoing ports to the standard mail/news/web stuff
should stop most of it, I'd like to think that my AV stuff would catch
any 'nasties' and I regularly scan for adware.


> My concern is the average user probably wouldn't know when
>to say "No" to the helpful pop-up messages, and there may be better ways
>of securing computers.

I know when to say no, but it's all too easy to click the wrong button.

Thanks to all who replied, I've achieved what I wanted, I now have a
completely 'stealthed' net connection with all the important stuff
running. Quite interesting to monitor the connection (using Kiwi Syslog
Daemon) and see what traffic hits the firewall.

TP appears to work with just port 7753 and 7758 allowed to make outgoing
connections to a strictly limited range of IP addresses.
--
Clint

0 new messages