cancel
Showing results for 
Search instead for 
Did you mean: 

F9 Port blocking

N/A

F9 Port blocking

After finding myself unable to connect to several fileshares on some remote servers I raised a ticket and was eventually directed to a Service Status security announcement which confirmed that F9 are blocking several ports including the Windows file/print share ports 137, 138, 139, 445.
This is very annoying. I don't require protection against myself - I'm well firewalled at both ends, only allowing traffic on these ports to and from the specific IPs of the servers concerned. Blanket blocking of ports has degraded the service that I pay for and while it may help those who are unable to protect their own machines I think it's a step in the wrong direction. Do we all have to put up with crippled connections to protect less careful users?
I can get round it by establishing a VPN connection to my work and routing traffic to the servers via that but it's a bit of a nuisance. And who knows, maybe F9 will start blocking VPNs soon to protect us from ourselves?
The customer support rep I spoke to said the situation was being monitored and alternative solutions were being investigated but there's no suggestion of alternative solutions in the Service Status announcement - it just says that ports may be unblocked if the threat goes away. It's hardly likely that the internet, or even F9's network, will get *less* dangerous in the future is it? So by the look of it we will have to put up with more and more blocked ports until just 80 and 443 are open.
Actually, there's a lot of bad stuff coming over HTTP, maybe best block those two as well.

I'm not about to leave F9 over this but I am about to get very grumpy about it.

How about getting more sophisticated with your port blocking and applying rules per customer IP? Then you can lift the block on my connection since I've asked so nicely.

Jon.
14 REPLIES
Plusnet Staff
Plusnet Staff
Posts: 12,169
Thanks: 18
Fixes: 1
Registered: 04-04-2007

F9 Port blocking

Hi Jon,

I'm sorry that the blocking of these ports has caused problems for you, but on the whole the blocking will prevent more problems than it causes.
I will though backup what the CSC are saying and that we are investigating alternatives, one of which is similar as you suggest which would allow better per customer rules that you could have some option of configuring yourself. Once the investigations are further down the road we'll post an update.
N/A

F9 Port blocking

From today's latest update (here):

Quote
Earlier in the week we also posted a security update for customers announcing that we were blocking an increased number of ports to protect our customers. Following customer feedback that this was negatively impacting some IRC applications we will be removing those port blocks from Broadband Premier customers during the next 24 hours. As these will be removed we'd like to remind customers to ensure they have adequate security measures in place.
N/A

F9 Port blocking

Ah, interesting - I wonder which ports in particular, and whether they'll stay open for long?

Thanks for the info as well, Dave. I'm glad there is some truth to the "looking into alternatives" rumour.

So the situation now is that I can probably map a network drive without resorting to VPN trickery, but maybe I won't be again at some point....? It'd be nice to have some sort of guarantee on this as it does affect the way I use my connection. All I want is a connection between me and the world - nothing too complicated! I wonder if you could introduce a new account type offering "A connection with no fiddling for those who think they can probably look after themselves." No doubt this would be cheaper than the standard accounts because there'd be so much less management required Wink
Plusnet Staff
Plusnet Staff
Posts: 12,169
Thanks: 18
Fixes: 1
Registered: 04-04-2007

F9 Port blocking

I think what's most likely to happen is that you'll have some kind of portal page where you can pick and choose which ports or ranges of ports to block/open. That's at least what we are looking into and how much development work would be required.
N/A

F9 Port blocking

That would be ideal - exactly what I was after. I hope the work isn't prohibitively expensive!
N/A

F9 Port blocking

why is any kind of extra port blocking needed, isn't that what SAFE SURF mode is for?

Why not install a freely available FTP server on your machin to access the files you need.. You can use logins and limit the IPs in your firewall and/or in the server setup. You can set the server to use any port that you like for in bound connections.

http://www.cerberusftp.com/download.htm#download is good to try.
N/A

F9 Port blocking

Quote
why is any kind of extra port blocking needed, isn't that what SAFE SURF mode is for?


It blocks P2P etc.
N/A

F9 Port blocking

Quote

Why not install a freely available FTP server on your machin to access the files you need.. You can use logins and limit the IPs in your firewall and/or in the server setup. You can set the server to use any port that you like for in bound connections.

http://www.cerberusftp.com/download.htm#download is good to try.


Thanks for the link but I was really making the point that I'm paying for a service and that service has been crippled to some extent because of a problem that doesn't affect me.

I know I can get the files via FTP but that's not what I wanted to do. I'm using a file synchronisation utility to maintain my local copies of various web applications and that utility doesn't support FTP for the source. Besides, I like to have the filesystems of my servers readily available instead of having to go through an FTP application to get at them.

There are several ways round this problem, of which FTP is one, but my point was that I don't want to have to find a way round the problem because I never had a problem in the first place. I've taken steps to secure my home and company networks and don't need the protection of blanket port blocks. The blocks are a very blunt tool and I look forward to a time when the tool can be sharpened, as Dave outlined.

Is there any indication of a timeframe for this, Dave?

Jon.
Plusnet Staff
Plusnet Staff
Posts: 12,169
Thanks: 18
Fixes: 1
Registered: 04-04-2007

F9 Port blocking

At the moment there isn't a timescale on the port tool, the project needs to be scoped first to see how much development time is required and it would then need inserting in the workstack either as a project itself or part of another project.
N/A

F9 Port blocking

That's as I feared. Thanks, Dave.

So, the situation is: no Windows filesharing for the forseeable future except for the lucky few on Broadband Premier. That's a shame, I was hoping for a more rapid resolution of this denial of service.

Jon.
N/A

F9 Port blocking

Dave,

Having had a week away from my home I now find that my preferred workaround to your port blocking, a VPN connection to my office, no longer works. Could this be another port that F9 have blocked?

More usefully, can you point me to a page where all the blocked ports are simply listed? And if not, could you get a simple page made up please? It's infuriating when things just stop working, perhaps because someone's just decided to turn something off without saying anything.

Maybe this is nothing to do with you but that's the point - I have no idea whether it is or isn't and this makes remedying the situation much much more time consuming.

Jon.
Plusnet Staff
Plusnet Staff
Posts: 12,169
Thanks: 18
Fixes: 1
Registered: 04-04-2007

F9 Port blocking

Hi,

There is a list on service status

http://usertools.force9.net/status/archive/1122386482.htm

This though doesn't apply to Premier any more.

We have raised it internally to create a page on the portal with this information. We haven't though added any other blocking so this wouldn't be the cause of the VPN problem you're seeing.
N/A

F9 Port blocking

Right, thanks Dave. I'll keep looking elsewhere for the VPN problems.
N/A

F9 Port blocking

Dave,

You know I hate to be a pain, old bean, but I've noticed that filesharing is operational again although there's been nothing in Service Status to indicate a change of policy. What's the story here?

Obviously I'm delighted to be able to use the internet as I wish again but it all seems a bit unpredictable to me, and unpredictable = bad.

Regards,
Jon.