All Inbound Ports Blocked on Verizon DSL?

From: "David"

| I'm a new residential Verizon DSL Customer hoping to play with a Web | Server on my home computer, but it seems my computer is invisible from | the outside world on all ports -- not just port 80. | | I've heard others discuss that Verizon blocks inbound Port 80 in some | markets, but I see that all inbound ports are blocked. I have my | Westell Modem/Router set to Single Static IP, with all of my firewalls | disabled, and a "Shields Up" report from

shows that | the first 1056 TCP ports are stealthed: | | "Your system has achieved a perfect 'TruStealth' rating. Not a single | packet - solicited or otherwise - was received from your system as | a result of our security probing tests. Your system ignored and refused | to reply to repeated Pings (ICMP Echo Requests). From the standpoint of | the passing probes of any hacker, this machine does not exist on the | Internet." I did this same test with my computer connected to the | Internet via my dialup ISP, and I see that the ports are all visible | but closed. What is Verizon doing? | | Has anybody else experienced the same thing? If I believe what I am | seeing, then I'd think it would be impossible for any Verizon DSL | customer to run any P2P software, instant messaging apps, or anything | that has a TCP socket server. | | David

David:

First let me suggest the Verizon private News Group...

news://news.verizon.net/0.verizon.adsl

In the former BellAtlantic regions incoming port 80 is blocked. In former GTE regions, it may not be. Based upon your posting IP address, you are most likely a former BellAtlantic customer. However, hosting a web server on Verizon is a violation of the Authorized Use Policy (AUP) so I suggest you read it before you decide to host a server on your residential Verizon DSL account.

When you are using a Router or a Router/modem combo than it uses Network Address Translation (NAT) and that will block non-specific TCP/IP requests. You stated "...refused to reply to repeated Pings (ICMP Echo Requests)." That is usually a Router setting that can be enabled or disabled depending upon vendor and model. I use a Linksys BEFSR81 and specifically; enable "Block WAN Request", disable "Remote Management", disable "Remote Upgrade" and enable "Filter IDENT(port 113)". This helps to make my SOHO LAN behind the Router more secure and the Router and LAN less likely to be the target of a hacker.

You "can" host a server through a Router (including P2P software) if you know what TCP/UDP ports are being used and you "port forward" to a LAN IP address.

Many VOL users host web servers on Verizon by not using TCP port 80 but by using TCP port

8080 or other TCP port. Then they configure their http Daemon to host using that port. Then you access the server via a URL such as http://host_IP:8080/ The other problem that comes into play is the dynamic host addressing of residential DSL. What was your IP address Yesterday, may not be the same IP address Today. Thus one has to use the services of DynamicDNS ($$).

Now let's say that you host is on IP address 192.168.1.42 using TCP port 8080. You would have to configure the Router to forward TCP port 8080 requests on the WAN side to go to

192.168.1.42 on the LAN side.

The other option is to place the host in the DMZ. That is you would have to configure the Router's DMZ address to be 192.168.1.42.

Dave,

Thanks for the advice. I've tried running the web server on several other ports, 81, 8080, 5010, and 10080, but no dice. I've tried this using port forwarding on my Westell Versalink 327W Modem/Router, as well as by using its Single Static IP Setting (essentially putting the host in the DMZ). All tests were done with (temporarily) firewalls completely disabled. I know I have the IP address correct because (a) that's what I get when I type ipconfig, and (b) that's what

automatically detects then reports on its port scan.

I have a theory about what my Verizon provider (formerly BellAtlantic in Washington, DC) is doing. I suspect that Verizon here has some kind of firewall or gateway between their network and the Internet that stealths ports unless you have made an outbound request over a port to a specific IP address. Once you have, they open that port for incoming requests from that IP address for a certain time interval, before it is closed again. This would explain why

's Shields Up reports that all ports are stealthed. I'm not sure how they could make this work with P2P and IM... although Yahoo IM does work for me. Perhaps Yahoo routes traffic through their server and isn't really P2P. Until I understand this, I don't fully believe my theory and I suspect I might be doing something wrong.

I'm curious to know if anybody else in my area has witnessed this same thing -- any non-novice user would need the answers to these questions. The whole AUP issue at Verizon is kind of silly in light of P2P. What is a server? The specific reason that I want to set up a web server is not for the purposes of a traditional web site, but for a home grown P2P system running over HTTP.

Thanks, David

I can't believe this is the reason. At this level, they are doing bulk IP traffic, and having some sort of stateful packet filtering going on would require a tremendous amount of resources (hardware wise...)

From: "David"

| Dave, | | Thanks for the advice. I've tried running the web server on several | other ports, 81, 8080, 5010, and 10080, but no dice. I've tried this | using port forwarding on my Westell Versalink 327W Modem/Router, as | well as by using its Single Static IP Setting (essentially putting the | host in the DMZ). All tests were done with (temporarily) firewalls | completely disabled. I know I have the IP address correct because (a) | that's what I get when I type ipconfig, and (b) that's what

| automatically detects then reports on its port scan. | | I have a theory about what my Verizon provider (formerly BellAtlantic | in Washington, DC) is doing. I suspect that Verizon here has some | kind of firewall or gateway between their network and the Internet that | stealths ports unless you have made an outbound request over a port to | a specific IP address. Once you have, they open that port for incoming | requests from that IP address for a certain time interval, before it is | closed again. This would explain why 's Shields Up reports | that all ports are stealthed. I'm not sure how they could make this | work with P2P and IM... although Yahoo IM does work for me. Perhaps | Yahoo routes traffic through their server and isn't really P2P. Until | I understand this, I don't fully believe my theory and I suspect I | might be doing something wrong. | | I'm curious to know if anybody else in my area has witnessed this same | thing -- any non-novice user would need the answers to these questions. | The whole AUP issue at Verizon is kind of silly in light of P2P. What | is a server? The specific reason that I want to set up a web server is | not for the purposes of a traditional web site, but for a home grown | P2P system running over HTTP. | | Thanks, | David

Verizon ONLY blocks incoming TCP port 80.

You should really post this all in the private Verizon News Group then you will get replies from only Verizon peers to have successfully setup a similar functionality.

news://news.verizon.net/0.verizon.adsl

No, what he should really do is dump Verizon and go with a provider that doesn't block ports.

--

From:

| In article , | David H. Lipman wrote: |

| | No, what he should really do is dump Verizon and go with a provider | that doesn't block ports. | | -- |

That is a Troll reply. Port 80 inbound is the only port blocked and only in former BellAtlantic locales. That hardly is the requisite for a replacement ISP.

Bullshit. You just don't like what I said.

Going with a phone company for your internet access is just plain stupid. I find their AUPs almost as unacceptable as my local cable providers. There are plenty of alternatives that have better support, better AUPs, and technical people that actual know something.

You know, blocking ports on a routed WAN isn't hard if you use Access

Control Lists. This is what I believe Is happening. They might use an inward bound acl to block specific ports from their

customers on their DSLAM. It would be as easy as: access-list # deny ip anyhost eq www access-list # permit any any, or something of the sort, then

application would be the same for all interfaces of the DSLAM like: Routername(ifconfig)# ip access-group # in Simple as that. This allows for easy blockage of port 80. If they want

to block a different port from coming into the DSLAM, all they'd have

to do is add a duplicate line and change www to a port number. It's no surprize that they'd do that seeing as how they would charge

for VoiP services and have internet hosting of their own. Their just

another money hungry company.

The clear advantage of Verizon is price. Alternatives exist only if speed and cost are not considerations. In my neighborhood of Washington, DC, Verizon charges $30 per month for DSL that gives about

2 Mbps of downlink. There is no alternative at this speed in this price range.

RCN Cable: $129 per month (7 Mbps) Comcast Cable: $57.95 per month (1-5 Mbps) Starband Satellite: $100 per month (150-500 kbps) Various Dialup: $10 per month (53 kbps)

If there is a price competitive alternative, I'd be happy to take it. Sadly, however, I am not independently wealthy, nor will I ever be if I pay $100 per month on personal internet access.