TelASS is now blocking ports on ADSL

[MC Hammered]

I've been trying for the last week to figure out why no one can get to port 21 to access my ftp.

So after trying just about everything possible I call tech support and asked them.

The guy I got on the phone initially said he didn't think they blocked port 21 since it is such a widely used port but after he did some digging TelASS put into place port blocking as of June 6, 2004.

On the memo he tells me this is due to the number of users that host web servers on non business packages and TelASS wants to have these users upgrade their packages.

So in order to get port 21 open I'll have to upgrade to a server package which costs $40 more a month.

*sigh*

What to do.

[bob]

can't you just run your FTP serving prog. on a different port?

[MC Hammered]

Working on putting in on a new port right now.

Shouldn't be too hard but it's just all the BS questions that people are going to ask since it isn't on the default port 21.

I am also checking to see if they are denying people dynamic IP's for more than 5 days as well. if I can't keep a dynamic IP for a period of time then I'll have to setup the autoconfigure program for my DNS server to update it when it changes.

Paying an extra $40 a month to have a static IP is an expensive option right now.

[ebbomega]

I thought they did that with port 80 a long time ago. I'm not at all surprised.

This is why dns is a useful tool.

[neoh]

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 69 -j DNAT --to 10.0.0.5:21

:)

[MC Hammered]

DNS is great but it doesn't help me with my port issue.

[SEAN!]

yeah no shit you're probably using well over 10 gigs a month of bandwith on that server. what would you do if you were telus and you had 50,000 people using unsually large amounts of bandwith and paying the same rate as everyone else?

[MC Hammered]

The following ports will have inbound (ingress) traffic blocked.

TCP 21 (ftp) Customers running an FTP server will no longer be able to have Internet users connect to their server Many customers computers are used as FTP servers to store illegal files

TCP 25 (smtp) Customers running a SMTP mail server will no longer be able to receive email requests Prevent mail servers that operate as an open relay. Open relays are used without a customer’s knowledge to sends millions of pieces of Spam

TCP 80 (www) Customers running a Web server will no longer be able to have Internet users connect to their server Common exploit on old Window IIS server and Linux boxes that are not properly patched

TCP 110 (pop3) Customers running a POP mail server will no longer be able to have Internet users connect to the server

TCP 6667 (ircd) Customers running a IRC server (Internet Relay Chat) will no longer be able to have Internet users connect to the server

TCP/UDP 135-139 (dcom and netbios) These ports are commonly exploited by worm viruses 135 Windows RPC 136 PROFILE Naming System (basically unused) 137-139 Windows NetBios

TCP/UDP 445 (ms-ds) Microsoft Directory Services – Customers that allow legitimate Internet users access to their computers will loose this ability This allows hackers to directly connect to a Windows based computer and gain total control over the OS

TCP/UDP 1433-1434 (ms-sql) Microsoft SQL server – Customer running an SQL server will no long be able to have Internet user connect to their server There are several worm viruses that exploit holes in SQL server

Regards, TELUS Internet Services Help Desk

[MC Hammered]

Quote:

Originally Posted by SEAN!

yeah no shit you're probably using well over 10 gigs a month of bandwith on that server. what would you do if you were telus and you had 50,000 people using unsually large amounts of bandwith and paying the same rate as everyone else?

I'm going to beat you.

[ebbomega]

Quote:

Originally Posted by MC Hammered

DNS is great but it doesn't help me with my port issue.

Use it in combination with Neoh's solution and you're set. =)

Isn't there a way of mapping an external port on a DNS server (IE NOT on telus) onto some other port of your telus address? I'm fairly certain I've seen this used before....

[neoh]

^^ can be done in Linux. But not sure in Windows.

[rawb]

Quote:

Originally Posted by ebbomega

Use it in combination with Neoh's solution and you're set. =)

Isn't there a way of mapping an external port on a DNS server (IE NOT on telus) onto some other port of your telus address? I'm fairly certain I've seen this used before....

you could set up a tunnel foobar.notelus.com:21 -> mcham.telus.net:2121

but then you're just creating a shitty traffic path and duplicating your traffic.





anyways all in all im glad telus is blocking ports it saves so many headaches.

[MC Hammered]

I don't want to setup a tunnel. It's no big deal as I'll just ad the ":69" to the end of the urls I post on the board (time to go edit them all now...)

Now I just wait and see if I get to have a pseudo-static IP anymore.

[Gusto]

hah... fuck, that explains why my ftp stopped working too

[Gusto]

Quote:

Originally Posted by neoh

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 69 -j DNAT --to 10.0.0.5:21

:)

how does this really help anything, though? in the end the user still needs to specify the non-standard port and its about as easy to change the port your ftpd is listening on. i suppose it might be worth it if you wanted to keep a standard port for access on your lan, but really its just extra routing to process, no? or maybe i missed something, its happened before.

[shorerider]

Quote:

Originally Posted by bob

can't you just run your FTP serving prog. on a different port?

You have tried to acess my port without permission numerous times.

[neoh]

Quote:

Originally Posted by gusto

how does this really help anything, though? in the end the user still needs to specify the non-standard port and its about as easy to change the port your ftpd is listening on. i suppose it might be worth it if you wanted to keep a standard port for access on your lan, but really its just extra routing to process, no? or maybe i missed something, its happened before.

forwarding the port to 69. So it wont be blocked anymore, that's how it helps. :) The ftp is listening on port 69, but Winston was worried everyone connecting to 21 was going to have a problem, so why not forward all 21 requests to port 69? And no, no extra routing to process, because your already being routed, just routed to the right direction.

[Gusto]

Quote:

Originally Posted by neoh

forwarding the port to 69. So it wont be blocked anymore, that's how it helps. :) The ftp is listening on port 69, but Winston was worried everyone connecting to 21 was going to have a problem, so why not forward all 21 requests to port 69? And no, no extra routing to process, because your already being routed, just routed to the right direction.

but if telus is blocking traffic on port 21, your router/computer won't get the request at all anyway, so won't have anything to forward to 69, will it?

[neoh]

your right.
brain fart.
jesus christ.

[ebbomega]

Quote:

Originally Posted by neoh

^^ can be done in Linux. But not sure in Windows.

/me looks at his wimpering Pentium 90 Debian Router.

Poor thing's been turned off ever since I couldn't get wireless stuffs going on her.

*pat pat*

(PS: i hate wireless routers...)

[decypher]

man if i was in grade 9 i'd be all over this with a solution or an opinion.. but i completely forgot the vast knowledge of computing, networking and hacking i absorbed over a 4 year period.. fuckin sucks ass.. sad really

[neoh]

^^ my router is a 166 running debian that's been on for about 5 years now, 48mb ram, 1027 bad sectors on a 1.2gb hdd.

Oh, and it's made out of LEGO!

[Gusto]

rawb's suggestion would work but you'd need access to a server on another isp so that you could set up the tunnel, and if you had that you might as well put the server on the other isp since all the traffic is going through it anyway.

[neoh]

Her name is niobe. :D

[_LuxFerre_]

I can't believe they are so stupid. It should be a block against FTP requests, not port 21. They are only making everything a bit more complicated but not at all impossible. They must think a lot of people [hosting servers] are dumb.

I'd think they should only monitor/call/suspend those accounts with ridiculous transfer rates per month. I might use FTP get files to and from work/school etc.

This is not directed at anybody [MCH] but simply addresses the limitations in their logical process. Instead of paying $40 extra every month you could pay it once to sdf.lonestar.org and use their services. Or something.

but it's a money world. :)