Hi, comcast is filtering traffic to the smb ports on my network, particularly tcp:443 and tcp:139. (confirmed with a tcp traceroute)
Could that filter please be removed? In fact, if there are any additional filters being applied to my /28 subnet, could they also be removed?
thank you kindly!
Solved! Go to Solution.
Welcome switchninja. Here is the link to list of ports blocked by Comcast. Blocked Ports. Also ports 8080, 8181, 23 &2323 ports are used by Comcast for testing and maintenance access to the gateway. There are no other ports blocked or reserved by Comcast.
Okay, thats a handy list. How do I go about getting those blocks removed?
I thought business class internet didn't come with the nanny over my shoulder...
I just had trouble with port 22, but that's not in either of your lists. (I have Comcast Business Internet, with a Netgear CG3000DCR modem/hub, with 5 static IP addresses that I'm not using yet.) On the inside, using private IP 10.2.10.x, I have an SSH server. When I set up the DMZ to point to the SSH server, all ports seem to go through to it. But when I turn off DMZ and attempt to forward only port 22, I get "connection refused." However, if I forward non-standard port 222 to internal port 22, everything works fine.
I suspect that there's a hidden firewall forwarding setting that allows connections to the modem internals on port 22, but only if the connection originates from a Comcast NOC IP.
Is there any other source of information for tracking down things like this? Couldn't Comcast use a less-common port for its command-and-control, rather than the port that every sysadmin has used for decades?
Welcome spacewrench. Our Tier 2 agent checked the gateway configuration and confirmed that SSH port 22 was not enabled on the gateway administration page. Port 22 is now enabled.
Our Tier 2 agent checked the gateway configuration and confirmed that SSH port 22 was not enabled on the gateway administration page. Port 22 is now enabled.
I don't see any difference in the customer-facing admin page, though, and I'm still not getting through on port 22. (I have two separate connections / boxes / locations, so I'm actually not sure which one your agent worked on.)
Anyway, I've got SSH working on a nonstandard port, so it's not worth fiddling with any more.
Thanks for all your help (I see you answering all kinds of questions in the forums!)
I'll apologize for the other guy hijacking your thread. ;-)
SMB ports are filtered by MANY ISPs. There are some severe security holes in SMB that Microsoft has refused to close (mainly because doing so breaks backwards compatability with older LanManger/Microsoft clients) in their server products. if your trying to run SMB over the Internet your going to have trouble even if Comcast removes all their blocks you will just hit another block in an upstream.
If your trying to tie 2 sites together and you don't want to lose the overhead of a VPN and both sites are on Comcast, then why don't you contact them and get a private ethernet link between the sites? Then you can run your own numbering over it and you don't have to involve a hack.
Comcast is nothing more than a utility provider to me. My electrical company does not protect me from blowing my circuit breaker, so I do not want my internet provider to play nanny to me and block my internet connectivity for 'my own protection.'
I pay for business class internet connectivity, which implies I am not being treated as a residential customer. I am once again asking for all filtering to be removed from my service. I don't really care what 'many ISPs' do, I am not their customer, and the one that I am a customer to I am paying a premium for because I want to avoid exactly these types of scenarios. As to what I am using the ports for, it is completely irrelavent and non-topical to this request.
If this cannot be done, I would like an explanation as to why.
I understand your feeling but you need to understand that if Comcast did no filtering at all then their network would be unusable.
Think of all the Grandma's out there who have XP systems setup for them by their kids to skype, etc.
Many of those are plugged directly into a bridged modem on the Comcast network and have public addresses right on the systems.
Many of those systems are so hosed up that they do not pull patches. Think of how easy it is to screw up windows updates, and how hard it can be sometimes to get it fixed again? I have at times spent at least 45 minutes trying different things before getting it working again on a really hosed up customer system.
These clueless people are SHARING the network you are on. Their systems are ALREADY probably full of viruses that are busy trying to hose other systems on the Internet and I'm sure Comcast already has it's hands full with chasing after people, putting SMTP blocks on people's modems who are spamming the world.
Not everyone on the Internet is as clueful as you are, switch.
And last but not least, when you get a subnet of public numbers, Comcast does not let you install your own router. You are forced to use their router. Thus you cannot put your own access list in to block these ports, your dependent on host-based firewalling, and if the host gets rooted then the attacker can turn off your firewall.
Modern VPN gear is lightening fast, switch. I mean the good stuff not the cheap stuff. I just installed a 5 node VPN mesh last month with Cisco 5510's and 5505's and I can easily pump full wire rate through the VPN using AES 256 ciphers.
If you know enough to know how to run filesharing over a non-broadcast network then you know enough to know how to do it right.
The Internet was built by pragmatists, I never met an admin who really understood Internet networking who wasn't willing to sacrifice idealism to get the network running.