Reply
Contributor
ajkessel
Posts: 11
Registered: ‎05-17-2010

Comcast blocking TCP Port 22 inbound

For years, I've had an sshd listening on port 22 on my Comcast Internet connection. Starting about a week ago -- with no change in my configuration -- no packets could get through.

 

nmap from an external site shows the port is filtered, not closed. Listening on port 80 or an unprivileged port works fine; nmap shows it open as expected.

 

traceroute to port 22 shows packets being dropped at the penultimate hop, before reaching my residential IP address.

 

The box connected to the cable modem is a running Debian GNU/Linux stable. For testing purposes, I turned off all firewall (iptables) rules. There is no relevant AV software.

 

I've tried also for testing purposes hooking up other boxes (Windows 7, OS X) and tried other services listening on port 22 (e.g. web server rather than sshd). No luck.

 

I have been capturing raw interface traffic on multiple platforms (Linux and Windows), and when I try to connect in on port 22 from the outside, no traffic appears on the interface connected to the cable modem. Other ports the traffic appears as expected.

 

I even tried a new MAC address to get a different DCHP lease. Same result -- no inbound traffic on port 22.

 

I tried turning off and disconnecting the modem overnight, no difference.

 

Comcast insists that they can't possibly be blocking port 22 and this must be an issue on my end.

 

I've seen various message board discussions of other technically sophisticated users reporting the same problem, but no solutions.

 

Can anyone offer any suggestions? Or even some way that I can better prove to Comcast that this is a WAN issue?

Networking Expert
kevj
Posts: 4,859
Registered: ‎10-03-2003

Re: Comcast blocking TCP Port 22 inbound

Certainly looks like you have done your homework on this, so I am going to bring it to the attention of the Comcast representatives on this forum to see if they can assist....

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I don't work for Comcast...


Help us to help you!!
- respond to requests for info
- post back if your issue is resolved
- mark appropriate posts as solutions


Send feedback to Comcast using the 'feedback' link on this page:
http://www.comcast.com/Corporate/Customers/CustomerGuarantee.html?SCRedirect=true

Connection Expert
EG
Posts: 44,139
Registered: ‎12-24-2003

Re: Comcast blocking TCP Port 22 inbound


ajkessel wrote:

 

traceroute to port 22 shows packets being dropped at the penultimate hop, before reaching my residential IP address.


It may help someone to help diagnose this if you post that trace output. Were ICMP packets being used for the trace ?

Contributor
ajkessel
Posts: 11
Registered: ‎05-17-2010

Re: Comcast blocking TCP Port 22 inbound

TCP SYN packets. I didn't think I could use ICMP to probe a specific port.

 

Here's an attempt from a colo box in NYC  -- it only reaches the penultimate hop before my assigned IP address:


 1  66-199-252-233-cust-gw.reverse.ezzi.net (66.199.252.233)  0.666 ms  1.171 ms  1.207 ms  1.209 ms  1.209 ms  1.106 ms  1.103 ms
 2  ads-bsh-cr02.ezzi.net (72.9.110.193)  50.597 ms  50.970 ms  51.000 ms  51.003 ms  51.005 ms  51.052 ms  51.059 ms
 3  ads-bsh-cr01.ezzi.net (72.9.110.241)  1.062 ms  1.063 ms  1.158 ms  1.283 ms  1.233 ms  1.456 ms  1.416 ms
 4  18-110-9-72.reverse.ezzi.net (72.9.110.18)  1.039 ms  1.209 ms  1.209 ms  1.219 ms  0.714 ms  0.664 ms  0.749 ms
 5  Gi5-1.1165.ar2.EWR2.gblx.net (64.208.169.57)  1.239 ms  1.712 ms  1.874 ms  1.963 ms  1.958 ms  2.057 ms  1.957 ms
 6  COMCAST-IP-SERVICES-LLC.TenGigabitEthernet4-4.ar4.NYC1.gblx.net (64.215.24.86)  3.333 ms  3.695 ms  3.418 ms  3.143 ms  3.048 ms  2.939 ms  3.059 ms
 7  pos-1-14-0-0-ar01.needham.ma.boston.comcast.net (68.86.90.66)  9.134 ms  9.431 ms  8.926 ms  8.793 ms  8.808 ms  9.022 ms  9.091 ms
 8  * * * * * * *
 9  68.85.184.186 (68.85.184.186)  10.615 ms  10.743 ms  10.529 ms  10.469 ms  10.416 ms  10.399 ms  10.315 ms
10  * * * * * * *
11  * * * * * * *
12  * * * * * * *
13  * * * * * * *
14  * * * * * * *

Bronze Star Contributor
badz
Posts: 233
Registered: ‎04-13-2004

Re: Comcast blocking TCP Port 22 inbound

It's clearly stated in the TOS that you are not allowed to run server daemons on your residential account. I'm sure they blocked it since you've been running a ssh daemon off it.

Contributor
ajkessel
Posts: 11
Registered: ‎05-17-2010

Re: Comcast blocking TCP Port 22 inbound

Wrong answer. Comcast support has been very clear that port 22 shouldn't be blocked and have made several attempts to figure out why I'm seeing this port filtering. They ran tests on their end and couldn't identify a cause. It was Comcast (wecanhelp) who suggested I post here to see if anyone else could figure it out.
Bronze Star Contributor
badz
Posts: 233
Registered: ‎04-13-2004

Re: Comcast blocking TCP Port 22 inbound

You've already answered your own problem. You're violating the terms of service by running a server and it got blocked. The AUP clearly states the following, I'm unsure which part of it you cannot undertstand. I'm sure you didn't tell the Comcast support agent you've been running a server for years did you?

 

"use or run dedicated, stand-alone equipment or servers from the Premises that provide network content or any other services to anyone outside of your Premises local area network (“Premises LAN”), also commonly referred to as public services or servers. Examples of prohibited equipment and servers include, but are not limited to, e-mail, Web hosting, file sharing, and proxy services and servers;"

 

You can read the entire thing for yourself here: http://www.comcast.net/terms/use/#prohibited

Contributor
ajkessel
Posts: 11
Registered: ‎05-17-2010

Re: Comcast blocking TCP Port 22 inbound

Yes, I told the Comcast technician I've had sshd listening for several years. He asked another engineer, who is also a Comcast customer, who also runs sshd, and the technician forwarded me some questions/suggestions, including a bash transcript of expected behavior.

 

Comcast has been uniformly and absolutely clear that they do not block TCP port 22 inbound, even selectively.

 

It's not at all clear that this is prohibited by ToS; or, if it is, that it is enforced in non-extraordinary cases. Lots of common software technically runs as a "server" if by "server" you mean something that listens to an Internet facing port: IM software, MMORPGs, multi-user corporate document collaboration software (e.g. Microsoft Groove), etc. These are all "servers" from a technical perspective. My understanding is these terms are design to prohibit abuse of the network -- e.g., serving gigabytes of music on an open FTP site.

 

In any case, are you a Comcast insider? Or should I believe what the Comcast engineers have been telling me instead?

Bronze Star Contributor
badz
Posts: 233
Registered: ‎04-13-2004

Re: Comcast blocking TCP Port 22 inbound

[ Edited ]

Have you bound your machine to an internal LAN IP address and tested if port 22 is working then, if it's working on the LAN end and not on the WAN end which Comcast is providing it's obviously blocked no matter what the tech told you, he or she may not be familiar with what you're trying to do or it simply may be against company policy for them to disclose or discuss the means and or actions they take on these matters. 

 

Yes I've known people that have had ports blocked by ISP's in the past for running servers not Comast in specific however. I do coding on IRCd services and use internal addresses so nobody on the outside has access to my test code in progress, honestly if you are running this for test purposes you don't need WAN access to it so why not simply use internal addresses and not risk having ports mysteriously blocked or even worse having your account terminated for a violation you could have easily corrected.

 

I'd pretty much bet that Comcast scans for active ports open on systems and then monitors traffic to those ports to determine if a server is being run or not. It's not a science, it's very easy to tell when a server is being used by outside sources..ie selling shell accounts or whatever and I'm sure Comcast police their AUP and TOS accordingly.

 

I'm almost postive Comcast wouldn't allow web,ftp,ssh,irc,nnpt, or any other server. IM clients and such are servers sure in a way but then again how many of those are running 24/7?

 

No, I have nothing to do with Comcast other than I pay my bill to them for providing my services I ask for.

 

I'm shocked the "connection experts" don't know the AUP and TOS however.

 

You can prove the theory of the port being blocked also if you're willing to risk that by simply redirecting sshd to another port.

 

Edit: Just found this, as far as Comcast not blocking any ports, wrong they DO block ports it's even in their own FAQ: http://customer.comcast.com/Pages/FAQViewer.aspx?Guid=d3609bda-26c4-4200-a9ba-ba991251a9f6

Contributor
ajkessel
Posts: 11
Registered: ‎05-17-2010

Re: Comcast blocking TCP Port 22 inbound

Sure, port 22 works on the LAN-facing Ethernet card, or if I connect another test box (and disconnected the modem) to the WAN-facing card. Any nonprivileged port works too. I'm not selling shell accounts; just trying to get secure access to my home files.

 

To clarify on the port-blocking point: several Comcast folks, include those who seem to be reasonably technically adept, have said no ports are ever blocked other than those listed on the FAQ. I never meant to imply that they do no port-blocking; rather, they have an explicitly port-blocking policy that does not include port 22.

 

I think what's happened here is some switch was triggered close to the endpoint that the internal tech folks aren't aware of. They maintain that the port is closed on my machine -- which it can't be, it shows up as filtered, not closed, from the outside.

 

There's really no technical reason why Comcast would want or need to block small amounts of traffic on port 22 (but not, say, on port 12345). The AUP and TOS aren't, in my experience, intended to go after this sort of use. There are hundreds of discussions in public forums of people running sshd from home with Internet service provided by Comcast, with no ill effects.

Connection Expert
EG
Posts: 44,139
Registered: ‎12-24-2003

Re: Comcast blocking TCP Port 22 inbound


badz wrote:

 

I'm shocked the "connection experts" don't know the AUP and TOS however.

 


Never assume anything. I can't speak for anyone else, but I'm familiar with their TOS. As I am not an employee I can't speak authoritatively about it's specifics and enforcement but I do know from past experience that running servers has been a grey area on CC. They have typically had very loose enforcement of that part of their TOS as long as there isn't heavy public traffic to one and it is not being used for commercial purposes or rendering porn. Between me and you my opinion is that your comment was unnecessary and I'm wondering if you made it in order to incite a flame war. I remember you..

Connection Expert
JamesR
Posts: 6,437
Registered: ‎09-29-2007

Re: Comcast blocking TCP Port 22 inbound

OK TOS says no servers.  That said people successfully use port 22 and the SSH daemon every day.  Lets escalate this and see if we can get a resolution.

Recognized Contributor
CCRodney
Posts: 156
Registered: ‎04-16-2010

Re: Comcast blocking TCP Port 22 inbound

[ Edited ]

All,

 

Comcast does not block Port 22. We are investigating this issue.

 

For a list of the Ports we do block please check this FAQ!

 

 

Thanks,
CCRodney
Just a regular guy

Contributor
ajkessel
Posts: 11
Registered: ‎05-17-2010

Re: Comcast blocking TCP Port 22 inbound

According to @ComcastBill on Twitter:

 

We found the port 22 issue and are working on a fix now.

 

http://twitter.com/ComcastBill/status/14377922232

Bronze Problem Solver
lunski
Posts: 1,757
Registered: ‎09-03-2008

Re: Comcast blocking TCP Port 22 inbound


ajkessel wrote:

According to @ComcastBill on Twitter:

 

 We found the port 22 issue and are working on a fix now.

 

http://twitter.com/ComcastBill/status/14377922232


Rodney & Bill & I are all on same team.

 

Please try now and let us know the results.

George Lunski
"Retired" Comcast Help Forums Administrator
Contributor
ajkessel
Posts: 11
Registered: ‎05-17-2010

Re: Comcast blocking TCP Port 22 inbound

All fixed! Apparently this was in fact a Comcast issue?

Bronze Problem Solver
Posts: 3,279
Registered: ‎05-12-2006

Re: Comcast blocking TCP Port 22 inbound

 


badz wrote:

You've already answered your own problem. You're violating the terms of service by running a server and it got blocked. The AUP clearly states the following, I'm unsure which part of it you cannot undertstand.

 

I think you're misunderstanding what you quoted. Do you think a PC is considered "dedicated, stand-alone equipment or servers"?

 

I'm sure you didn't tell the Comcast support agent you've been running a server for years did you?

 

"use or run dedicated, stand-alone equipment or servers from the Premises that provide network content or any other services to anyone outside of your Premises local area network (“Premises LAN”), also commonly referred to as public services or servers. Examples of prohibited equipment and servers include, but are not limited to, e-mail, Web hosting, file sharing, and proxy services and servers;"

 

You can read the entire thing for yourself here: http://www.comcast.net/terms/use/#prohibited

 

I think the relevant bit is: "use or run programs from the Premises that provide network content or any other services to anyone outside of your Premises LAN, except for personal and non-commercial residential use;" Note the exception. I'd say that, in general, running a SSH server is perfectly OK. I'd bet that they'd have no problem with running a web server that was just about making "newsy" stuff available to family and friends, either.

 

Contributor
ajkessel
Posts: 11
Registered: ‎05-17-2010

Re: Comcast blocking TCP Port 22 inbound

Now it's blocked again!

Connection Expert
JamesR
Posts: 6,437
Registered: ‎09-29-2007

Re: Comcast blocking TCP Port 22 inbound

The issue has been escalated hopefully we will get a fix before the weekend:smileyhappy:

Bronze Problem Solver
lunski
Posts: 1,757
Registered: ‎09-03-2008

Re: Comcast blocking TCP Port 22 inbound

 


ajkessel wrote:

Now it's blocked again!


Our original fix was a temp fix. We pushed out a fix over the weekend. You should have no further problems.

 

George Lunski
"Retired" Comcast Help Forums Administrator
New Visitor
Posts: 4
Registered: ‎12-26-2007

Re: Comcast blocking TCP Port 22 inbound

I'm seeing the same problem, port 22 is blocked, high ports work fine. I saw in another forum that the problem is associated with Cisco modems (which is what I have). I notice that this thread is from May, I'm still seeing the problem on June 11. Has the fix not been rolled out everywhere?

Contributor
ajkessel
Posts: 11
Registered: ‎05-17-2010

Re: Comcast blocking TCP Port 22 inbound

This has been fixed in Boston, at least for me.

Connection Expert
JamesR
Posts: 6,437
Registered: ‎09-29-2007

Re: Comcast blocking TCP Port 22 inbound


bjrosen wrote:

I'm seeing the same problem, port 22 is blocked, high ports work fine. I saw in another forum that the problem is associated with Cisco modems (which is what I have). I notice that this thread is from May, I'm still seeing the problem on June 11. Has the fix not been rolled out everywhere?


Sorry you are having trouble.  Where are you located?  (City State)?

We will see if we can get you soe leverage to get this resolved/

New Visitor
Posts: 4
Registered: ‎12-26-2007

Re: Comcast blocking TCP Port 22 inbound

I power cycled the modem and that fixed the problem, port 22 seems to be working now.

 

Connection Expert
JamesR
Posts: 6,437
Registered: ‎09-29-2007

Re: Comcast blocking TCP Port 22 inbound


bjrosen wrote:

I power cycled the modem and that fixed the problem, port 22 seems to be working now.

 


Thanks for posting back that you have it resolved.  I will call off the dogs. :smileycool:

Contributor
madzimambo
Posts: 10
Registered: ‎07-11-2010

Re: Comcast blocking TCP Port 22 inbound

[ Edited ]

Hello

 

I just started comcast 2 weeks ago, and from "day 1" *all* of my ports are blocked.  To determine this I went to a site http://nmap-online.com/ and did a full scan of all ports, the result was that they are all blocked.  Actually at first I was looking to administer the router to block any ports that I don't absolutely need.  It turns out that it looks like I cannot administer the router/modem at all.

 

 

I was given a Thompson DHG535-2 Modem.  I have seen many other people posting on the nets looking for the manual, and most of them have bogus links.  Here is where I finally found the appropriate manual, which lists nothing of administration functions. 

http://www.manualsonline.com/mdownloads/a4df522b-2bbe-4d80-b4e2-1ee026367196.pdf

Also, going to http://192.168.100.1/Admin.html just gives the message that this feature has been disabled, as does http://192.168.100.1/goform/BasicLan

 

I would like to use port 22 to access my home desktop PC from my portable laptop PC (ie. to browse grab files i forgot to bring with me, via ssh and scp).

 

I would also like to have a port such as "8080" open so that I can create and test my own webpages at home - there is no danger of this becoming a "server".

 

Please tell me what steps I need to take to get this access.

 

 

Bronze Problem Solver
Posts: 3,279
Registered: ‎05-12-2006

Re: Comcast blocking TCP Port 22 inbound

[ Edited ]

 


madzimambo wrote:

Hello

 

I just started comcast 2 weeks ago, and from "day 1" *all* of my ports are blocked.  To determine this I went to a site http://nmap-online.com/ and did a full scan of all ports, the result was that they are all blocked.  Actually at first I was looking to administer the router to block any ports that I don't absolutely need.  It turns out that it looks like I cannot administer the router/modem at all.

 

 

I was given a Thompson DHG535-2 Modem.  I have seen many other people posting on the nets looking for the manual, and most of them have bogus links.  Here is where I finally found the appropriate manual, which lists nothing of administration functions. 

http://www.manualsonline.com/mdownloads/a4df522b-2bbe-4d80-b4e2-1ee026367196.pdf

Also, going to http://192.168.100.1/Admin.html just gives the message that this feature has been disabled, as does http://192.168.100.1/goform/BasicLan

 

I would like to use port 22 to access my home desktop PC from my portable laptop PC (ie. to browse grab files i forgot to bring with me, via ssh and scp).

 

I would also like to have a port such as "8080" open so that I can create and test my own webpages at home - there is no danger of this becoming a "server".

 

Please tell me what steps I need to take to get this access.

 

 


You're misunderstanding what you're seeing. Comcast does block a few ports, but it's your router that is responsible for what you're seeing with that test; the default is to block everything. You need to do port forwarding in your router to allow, say, TCP port 22 connections to get through to your computer.

 

Edit: A personal firewall on the computer could also be blocking everything.

Contributor
ajkessel
Posts: 11
Registered: ‎05-17-2010

Re: Comcast blocking TCP Port 22 inbound

We should also point out that the 192.168.* device he is connected to is not the Comcast cable modem device -- this has got to be the LAN router.

Email Expert
Posts: 18,241
Registered: ‎04-27-2004

Re: Comcast blocking TCP Port 22 inbound

 


ajkessel wrote:

We should also point out that the 192.168.* device he is connected to is not the Comcast cable modem device -- this has got to be the LAN router.


Not quite. The router is usually 192.168.0.1 or 192.168.1.1 (you can configure it to a different address range if you want, but most people don't). 192.168.100.1 is the cable modem, and that's the IP he went to.

 

Contributor
ajkessel
Posts: 11
Registered: ‎05-17-2010

Re: Comcast blocking TCP Port 22 inbound

 


Barmar wrote:

 


ajkessel wrote:

We should also point out that the 192.168.* device he is connected to is not the Comcast cable modem device -- this has got to be the LAN router.


Not quite. The router is usually 192.168.0.1 or 192.168.1.1 (you can configure it to a different address range if you want, but most people don't). 192.168.100.1 is the cable modem, and that's the IP he went to.

 


Interesting! I hadn't realized that; I suppose there's nothing there we would need access to in the ordinary course of use.

 

Connection Expert
EG
Posts: 44,139
Registered: ‎12-24-2003

Re: Comcast blocking TCP Port 22 inbound


ajkessel wrote:

 

Interesting! I hadn't realized that; I suppose there's nothing there we would need access to in the ordinary course of use.

 


Maybe not for the average person, but for some, the very important signal stat, error log, and other information that is needed for troubleshooting connectivity issues is there.

Contributor
madzimambo
Posts: 10
Registered: ‎07-11-2010

Re: Comcast blocking TCP Port 22 inbound

Does anyone from Comcast reply to these posts?  I am still awaiting something helpful.

 

I have a Netgear WNR1000 v2 supplied by Comcast.  This is not the issue.  Even if I skip that router and plug my PC directly into the Thomson Cable Modem all ports are blocked.  Port Forwarding would not help.

 

For those who suggest that 192.168.100.1 is the address to access a Netgear WNR1000 please explain why the page says "Thompson Basic LAN status" and was available before I even installed the Netgear, and the Administration panes for the Netgear are available at http://192.168.172.101 .

Bronze Problem Solver
Posts: 3,279
Registered: ‎05-12-2006

Re: Comcast blocking TCP Port 22 inbound

 


madzimambo wrote:

Does anyone from Comcast reply to these posts?  I am still awaiting something helpful.

 

Several Comcast employees (names in red) have responded in this thread. The last one was a reply saying that the OP's problem had been fixed.

 

I have a Netgear WNR1000 v2 supplied by Comcast.  This is not the issue.  Even if I skip that router and plug my PC directly into the Thomson Cable Modem all ports are blocked.  Port Forwarding would not help.

 

For those who suggest that 192.168.100.1 is the address to access a Netgear WNR1000

 

I don't recall anyone suggesting that. Several said that 192.168.100.1 is the address of the modem.

 

please explain why the page says "Thompson Basic LAN status" and was available before I even installed the Netgear, and the Administration panes for the Netgear are available at http://192.168.172.101 .

  Just FYI, 192.168.1.1 is typically the address of the router.

 

 

  Comcast isn't blocking "all your ports". It sounds to me like a personal firewall is causing your problem.

Contributor
madzimambo
Posts: 10
Registered: ‎07-11-2010

Re: Comcast blocking TCP Port 22 inbound

Hi - Sorry I don't mean to sound rude I'm just frustrated.  The most recent name in red is "COMCAST GEORGE" and that was quite a while ago, not in response to my "follow up" on this thread.

 

Would you suggest I start a new thread?

 

There is no "Personal Firewall".  That's like some marketing term invented by Microsoft.  I apprectiate people trying to help but I really need to get COMCAST involved.  I don't use Microsoft, there is no firewall involved in my testing.  I don't want to put my IP on here unless directed to by a COMCAST rep, but trust me, all of the ports are filtered, and none of the ports are filtered by my PC (to allow this new connection to be set up correctly), and I can connect my PC directly to the Cable Modem to prove that as needed.

 

The issue here is this - someone, COMCAST, probably needs to administer the Thompson Cable Modem their Contract Employee/Installer gave me, and change some things - they'll probably need to do that by sending it an updated DOCSIS file. 

 

Thanks for people who have tried to be helpful.

Bronze Problem Solver
Posts: 3,279
Registered: ‎05-12-2006

Re: Comcast blocking TCP Port 22 inbound

[ Edited ]

 


madzimambo wrote:

Hi - Sorry I don't mean to sound rude I'm just frustrated.  The most recent name in red is "COMCAST GEORGE" and that was quite a while ago, not in response to my "follow up" on this thread.

 

Would you suggest I start a new thread?

 

At this point I'd say no, but that probably would have been the way to go with your initial post. One port being blocked and all ports being blocked aren't really the same problem.

 

There is no "Personal Firewall".  That's like some marketing term invented by Microsoft. 

 

No it isn't. "Personal Firewalls" have been around since long before MS started including one in Windows. However, I'll agree that Personal Firewalls are mostly just hype for the advertised purpose of protecting indivuduals from "the hackers". ISPs have been blocking the ports where the vulnerable MS stuff lives for years.

 

I apprectiate people trying to help but I really need to get COMCAST involved.  I don't use Microsoft, there is no firewall involved in my testing.  I don't want to put my IP on here unless directed to by a COMCAST rep, but trust me, all of the ports are filtered, and none of the ports are filtered by my PC (to allow this new connection to be set up correctly), and I can connect my PC directly to the Cable Modem to prove that as needed.

 

The issue here is this - someone, COMCAST, probably needs to administer the Thompson Cable Modem their Contract Employee/Installer gave me, and change some things - they'll probably need to do that by sending it an updated DOCSIS file. 

 

From what I've read, that device doesn't have the capability to block ports. I checked out http://nmap-online.com/ , and I think they're giving you bogus info. When I went with the "check ports 1 - 5000" default option they said they only checked 1000 ports, and that they were all "filtered". I'd unblocked port 55 specifically to check them out, and confirmed via a third party that it wasn't blocked. When I did a custom scan and specified the range of ports 53-56 it properly showed:


53/tcp filtered domain
54/tcp filtered xns-ch
55/tcp closed isi-gl
56/tcp filtered xns-auth


Note that "closed" indicates that the port isn't blocked, it shows that they received a response from TCP/IP on my computer saying that there was no service running on that port.

 

Edit: Oh, the bogus part I was thinking of was they were reporting all ports as "closed" in the scan (which can be misinterpreted), where they should have been reporting some ports as "filtered", because Comcast does block some ports. 135-139, for example.

 

 

Contributor
madzimambo
Posts: 10
Registered: ‎07-11-2010

Re: Comcast blocking TCP Port 22 inbound

Thanks Steve - what *would* you suggest I do from here?  For every router/modem I've had before where I experienced this issue I was able to administer the router/modem.  This one, the Thompson, I can't.

 

I can verify no filtering/blocking is taking place from "my end" ie, the PC (I can easily take the Netgear wireless out of the equation), and on my "internal/local" LAN I can access ports on the PC fine, but accessing it via the internet (through the COMCAST Thompson router/modem) no dice.

 

In my mind - the problem lies with the Thompson.  I can completely understand that this isn't COMCAST blocking ports (via their network topology/policies) but it is still COMCAST blocking ports, on the router they gave me, right?

Contributor
madzimambo
Posts: 10
Registered: ‎07-11-2010

Re: Comcast blocking TCP Port 22 inbound

BTW - what Third Party did you use.  I'm not locked in to using nmap-online.  I can perform nmap scans directly from my PC as needed, or any other available port scanner.

 

In the past 10 years I've used 5 different ISPs, a/dsl, cable, and "FIOS" and I've had some experience with this issue - wouldn't you agree the problem here is the Thompson Cable Modem?

 

Thanks,

 

Shawn

Bronze Problem Solver
Posts: 3,279
Registered: ‎05-12-2006

Re: Comcast blocking TCP Port 22 inbound

 


madzimambo wrote:
Thanks Steve - what *would* you suggest I do from here?  For every router/modem I've had before where I experienced this issue I was able to administer the router/modem.  This one, the Thompson, I can't.

Like I said, it doesn't seem to me that that modem has the capability to block ports. At least not from your end; Comcast can do that with their config file, but it seems unlikely that they'd be doing that. Maybe you *should* start a new thread and very matter-of-factly describe your problem in detail. Have you tried calling 1-800-COMCAST?

I can verify no filtering/blocking is taking place from "my end" ie, the PC (I can easily take the Netgear wireless out of the equation), and on my "internal/local" LAN I can access ports on the PC fine, but accessing it via the internet (through the COMCAST Thompson router/modem) no dice.

I've had a bit of trouble configuring a Personal Firewall to accomodate a POP proxy that did spam filtering. I never did get my head totally wrapped around it, but the problem lied in the firewall distinguishing between incoming and outgoing. Just wondering if you could have a Personal Firewall running that didn't care about internal traffic. What OS are you using? I won't be able to help, but maybe someone else might have some info about what might be installed by default.

In my mind - the problem lies with the Thompson.  I can completely understand that this isn't COMCAST blocking ports (via their network topology/policies) but it is still COMCAST blocking ports, on the router they gave me, right?

Maybe.

************

BTW - what Third Party did you use.  

I used a shell account that I have to telnet back to me.

I'm not locked in to using nmap-online.  I can perform nmap scans directly from my PC as needed, or any other available port scanner.

Just for yucks, you could try the "Shields Up" scanner at: http://www.grc.com

In the past 10 years I've used 5 different ISPs, a/dsl, cable, and "FIOS" and I've had some experience with this issue - wouldn't you agree the problem here is the Thompson Cable Modem?

You certainly sound like you know what you're talking about, but I don't really know enough about it to agree with anything. But I want to make double sure that you're seeing "filtered" in the scan, not "closed".

 

Networking Expert
kevj
Posts: 4,859
Registered: ‎10-03-2003

Re: Comcast blocking TCP Port 22 inbound

[ Edited ]

 


madzimambo wrote:
.....but it is still COMCAST blocking ports, on the router they gave me, right?

The device Comcast gave you is not a router...it's a cable modem/voice MTA. It has no routing capabilities, no firewall...it is a transparent bridge to get IP traffic from the Comcast network to your internal networking devices, and to provide a way to connect your telephone to the Comcast voice services network.

 

By default, the Netgear router you have WILL block all inbound traffic. If you do not configure port forwarding on it when it is in the mix, you will not get any traffic through it from the outside.

 

When you try your scans, are you certain you are rrying the correct IP? If you are taking the router in and out of the mix, the IP you will be provided by the Comcast DHCP servers will be different. You have to reset the cable modem each time you change the device that is connected to it's ethernet port. It's possible that if you are not changing the IP you are scanning, that the Comcast DHCP servers have given you an IP based on the MAC address of your Netgear router. If you have not tried port forwarding on that, scanning will show nothing open. Now, if you switch devices, and plug your computer directly into the cable modem without resetting the modem, the Comcast network will not recognize the MAC address and you will not get a connection. If you are restting the modem each time, and you do get a connection with the computer directly connected to the modem, the IP you are provided by Comcast will be different, so you could be scanning the wrong IP....

 

This may be simplistic for you given your past experience, but I just wanted to make sure you understand the technical requirements for changing the device that is directly connected to the ethernet port of the modem. This is a peculiarity of cable providers, and while it looks like you have used a few different ISPs, Comcast may be your first cable experience.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I don't work for Comcast...


Help us to help you!!
- respond to requests for info
- post back if your issue is resolved
- mark appropriate posts as solutions


Send feedback to Comcast using the 'feedback' link on this page:
http://www.comcast.com/Corporate/Customers/CustomerGuarantee.html?SCRedirect=true

New Visitor
scubahubby
Posts: 2
Registered: ‎12-05-2010

Re: Comcast blocking TCP Port 22 inbound

Im having the same issue in Perth Amboy, NJ.

 

I just modified my router to let 443 and 22 through.  443 works fine but no go on 22.

 

Sigh.

New Visitor
scubahubby
Posts: 2
Registered: ‎12-05-2010

Re: Comcast blocking TCP Port 22 inbound

Simple workaround.  I configured my router to map incoming port 999 to internal port 22.  Now i can "ssh -p 999 me@xx.xx.xx.xx no problem.

Email Expert
Posts: 18,241
Registered: ‎04-27-2004

Re: Comcast blocking TCP Port 22 inbound

I often recommend running your SSH server on a nonstandard port anyway. Port 22 gets an almost continuous stream of attempts to login, you won't get so much door knocking on random ports.

Contributor
madzimambo
Posts: 10
Registered: ‎07-11-2010

Re: Comcast blocking TCP Port 22 inbound

I never got resolution to this, and will probably leave Comcast soon.  But I will try using a "non-standard" port for ssh and see if that works, just for my own satisfaction of "proving" that Comcast or the Comcast issued equipment is blocking port 22.

 

The support on these forums, on this issue anyway, has been atrocious.

 

Thanks to everyone who tried to make suggestions.

Connection Expert
EG
Posts: 44,139
Registered: ‎12-24-2003

Re: Comcast blocking TCP Port 22 inbound

 


madzimambo wrote:

 

 The support on these forums, on this issue anyway, has been atrocious.

 

Thanks to everyone who tried to make suggestions.


Guess that you mean from CC employees ? Guess that you realize that this is primarily a user to user supported help venue..

 

Email Expert
Posts: 18,241
Registered: ‎04-27-2004

Re: Comcast blocking TCP Port 22 inbound

I just opened port 22 on my router, and tested connecting to it from my work network. It got through just fine.

Contributor
Posimosh
Posts: 15
Registered: ‎07-08-2010

Re: Comcast blocking TCP Port 22 inbound

I believe they block ports 20,21,22 if there is too much bandwidth upstream from your ip. Check out the Dewey forums and so-called hack sites to get an explanation why.... I will tell u u guys were on the right track with the "newsy" and serving content multicast style or to multiple users cause it looks like you are being pwn'd to packet sniffers. 99/100 users will see this as a positive, however if you use the command line instead of fancy file managers this becomes problematic. Simply stated, the simplest way to transfer data is via the command line using ssh FTP cifs etc. As most proprietary software uses so-called exotic ports so that they can stake out their piece of the intel. Property pie making copycats easier to spot. I digress though, com ADR should let u turn their routers' firewall to ur ip off if u wish and if it is advertised as such.
Contributor
madzimambo
Posts: 10
Registered: ‎07-11-2010

Re: Comcast blocking TCP Port 22 inbound

Yes, I meant from CC employees.

Contributor
madzimambo
Posts: 10
Registered: ‎07-11-2010

Re: Comcast blocking TCP Port 22 inbound

Re: Barmar - I wish I could repeat your results!

 

As an update - I tried disabling the firewall on my router,setting my "server" (desktop pc connected wired to the netgear wnr-1000 that comcast gave me) as the DMZ, nothing worked to allow *anything* through to my "server" on any port.  then i enabled remote-administration for the router, and that port was allowed through (to the router of course)... i forget the port number off-hand.  I then disabled remote-admin and tried using SSH on that port, no good.  I was ready to eat crow, and admit that it must be something with the netgear wnr-1000 i wasn't doing right, when i realized that even before i had that router, and was just using the EMTA modem (thompson DHG535-2), and i still couldn't get through to my "server" from any external addresses.

Email Expert
Posts: 18,241
Registered: ‎04-27-2004

Re: Comcast blocking TCP Port 22 inbound

I've asked a Comcast admin to check on this and confirm or deny whether port 22 is ever blocked.

Official Employee
ComcastSteve
Posts: 384
Registered: ‎09-13-2006

Re: Comcast blocking TCP Port 22 inbound

Port 22 is not blocked by default.

Steve Teow