Is Comcast blocking port 22
in [Linux Networking]
|
Prev: Does anyone use three mobile for their internet connection?
Next: struct ip6_tnl_net? register_netdev(ip6n->fb_tnl_dev) failed?
From: General Schvantzkoph on 12 Jun 2010 22:54 On Sat, 12 Jun 2010 21:17:04 -0400, Maxwell Lol wrote: > General Schvantzkoph <schvantzkoph(a)yahoo.com> writes: > >> I use dyndns which is as good as having a static IP. Comcast's IP >> addresses are effectively static, the only time I've ever seen them >> change is when I've replaced a modem. I have two domains, my company >> domain which is hosted at a hosting service and is used for e-mail and >> my website, and a personal domain which I have at dyndns and which is >> used for ssh access. > > Just wondering - Comcast block incoming connections to port 22, right? > > And you say that some corporate firewalls block outgoing access to > strange (not 22) port numbers. > > And software updates are initiated from the corporate side, right? So > they require port 22? > > Well, I'd move the files from your private domain to your commercial > domain using whatever port number you want, and have the customers > update their software from your commercial domain (and port 22). > > Otherwise, you have to work around Comcast's restrictions. Comcast isn't blocking port 22. They did have some problem with Cisco modems that caused port 22 to be blocked however it's been resolved. I had to do a power cycle on the modem to clear the problem but now it's working. They have no reason to block ssh, it's only *nix users who use it so it's not going to put any strain on their resources. I'm not sure exactly what happens with large company firewalls, it could be that they are doing packet inspection and blocking any traffic that's not on it's standard port. It's also possible that it's something simpler, they might just be blocking all outgoing traffic on high ports. I've run into this a couple of time with big companies (> $billion) but never with smaller companies. To keep things simple I have my customer ssh server on port 22 and I put my other systems on high ports.
From: Moe Trin on 13 Jun 2010 13:40
On 13 Jun 2010, in the Usenet newsgroup comp.os.linux.networking, in article <87ivjtF8blU1(a)mid.individual.net>, General Schvantzkoph wrote: >I'm not sure exactly what happens with large company firewalls, it >could be that they are doing packet inspection and blocking any >traffic that's not on it's standard port. To much work - there isn't a flag/variable within the headers that identifies the traffic as protocol $FOO or application $BAR. >It's also possible that it's something simpler, they might just be >blocking all outgoing traffic on high ports. More correctly, we block traffic outbound to _ANY_ port that we can't see the employee needing to do his job. If you look at http://www.iana.org/assignments/port-numbers, you'll discover only 19 TCP ports in the range 0-1023 are officially unassigned or reserved, but very few have ``reasonably legitimate'' services that the average employee needs to access, and not that many in the 1024-65536 range exist either. Thus, someone trying to connect to an ssh, mail, or pr0n server running on port 70/tcp is as much out of luck as having the server on port 12345, 37335, or any other of the secret numbers skript-kiddiez and w4reZ wr1t3rZ seem to believe no one would ever guess. Not only that, we block all outbound traffic to residential address ranges - mainly to prevent the employees from poking holes around the firewall. That's also a trivial exercise given 'ASN' numbers. Old guy |