O/T: Inbound Connections / Unrestricted APN

S

Sproggit

Active Member
Joined
Mar 28, 2010
Messages
49
Check the IP address assigned to you by your APN.
If you are assigned a public IP (I'm not at liberty to say when this will happen), you can be connected to by any other public ip.

If you are assigned an RFC 1918 address, this obviously won't happen. (Think of setting up dynamic port forwarding for 100 000+ users at a pop...)

Public ranges are NOT cheap.

Good old Teamviewer (or any other app that connects to a public server and reverses the connection) will always work.

This is not a CellC problem, it's an ISP problem, since without a public address, you would reach port exhaustion the moment multiple people want to connect to the same port (3389 for example).

Intra APN traffic is no problem( RFC 1918 to another RFC1918, especially if in same range), so you can always get another dongle :)

The Sproggg
 
SarelSeemonster

SarelSeemonster

Expert Member
Joined
Oct 15, 2008
Messages
1,066
Sproggit said:
Check the IP address assigned to you by your APN.
If you are assigned a public IP (I'm not at liberty to say when this will happen), you can be connected to by any other public ip.
Click to expand...

Unless I'm missing something, this doesn't seem to be the case for me. My current Cell C IP falls within this range:

inetnum: 197.168.0.0 - 197.175.255.255
netname: CELLC-20100922
descr: Cell-C (Pty) Ltd

I have RDP enabled (worked fine previously when I still had ADSL):

C:\Windows\system32>netstat -natb
[...]
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
CryptSvc
[...]

My Windows firewall is disabled and I can Remote Desktop from another PC on my LAN to this one's private IP.

However, according to http://www.canyouseeme.org, they can't connect to me:

Error: I could not see your service on 197.170.x.x on port (3389)
Reason: Connection timed out

:crying:

I know there are alternatives to RDP such as TeamViewer and LogMeIn (and I use both regularly) but those aren't the only programs (by far!) that require inbound connections to be allowed.
 
SarelSeemonster

SarelSeemonster

Expert Member
Joined
Oct 15, 2008
Messages
1,066
----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2011-02-22 at 11:04:14

Results from probe of port: 3389

0 Ports Open
0 Ports Closed
1 Ports Stealth
---------------------
1 Ports Tested

THE PORT tested was found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

----------------------------------------------------------------------


The "All Service Ports" test came back with all ports = stealthed.
 
S

Sproggit

Active Member
Joined
Mar 28, 2010
Messages
49
OK, will you do a test of all common ports (you dont have to share results)?
Not even ICMP is interesting, as the natted IP's shouldn't have icmp filtering...

Ooops, sorry, just reread and saw you've already tried...
 
S

Sproggit

Active Member
Joined
Mar 28, 2010
Messages
49
Aaha.
Just got some dirt.
My info was out of date.
Apparently some jackasses thought port-scanning CellC subscriber ranges was a good idea.
This not only meant a security issue, but the subscribers were going to pay for incoming data and REJECT packet replies.

Sorry bud, but some kids just have to spoil it for everyone...
:(
 
SarelSeemonster

SarelSeemonster

Expert Member
Joined
Oct 15, 2008
Messages
1,066
Yup, they're all blocked, as far as I can tell. The whole kaboodle! (not sure about UDP, though)

Someone did an nmap scan some time ago and discovered that only 53/TCP is open, but I guess Cell C didn't much like us using it so that's no more either.. *proceeds to wallow in self-pity*
 
S

Sproggit

Active Member
Joined
Mar 28, 2010
Messages
49
Suspects

Now if only I could think of someone with a LOT of bandwidth, who would have an interest in pi$$ing off CellC subscribers by generating loads of spurious traffic...:whistling:

SarelSeemonster said:
Yup, they're all blocked, as far as I can tell. The whole kaboodle! (not sure about UDP, though)

Someone did an nmap scan some time ago and discovered that only 53/TCP is open, but I guess Cell C didn't much like us using it so that's no more either.. *proceeds to wallow in self-pity*
Click to expand...
 
SarelSeemonster

SarelSeemonster

Expert Member
Joined
Oct 15, 2008
Messages
1,066
Sproggit said:
Now if only I could think of someone with a LOT of bandwidth, who would have an interest in pi$$ing off CellC subscribers by generating loads of spurious traffic...:whistling:
Click to expand...

Ha! Name and shame, I say! We will not stand for this...this...nincompoopery! :p

Sproggit said:
This not only meant a security issue, but the subscribers were going to pay for incoming data and REJECT packet replies.
Click to expand...

So why not just block the stuff that are obviously malicious in nature, e.g. port scans, DOS attacks, Windows NetBIOS (139/TCP), email-borne viruses (25/TCP) etc (which I believe is what SAIX and other large ISPs are basically doing), instead of blocking ALL legitimate inbound connections?

Or maybe even continue to block everything for the majority of their subscribers, i.e. the vanilla ones who don't understand and/or don't care about any of this incoming connections nonsence, and then just give us few "special cases" (of which there are quite a few, judging by the poll results) the option of an unrestricted Interwebz experience. I'll even pay an activation fee for this "privilege", which should help to motivate their lazy network admins to come up with the necessary firewall rules :)

Seriously, I can handle a few port scans and will be happy to pay for the additional traffic caused by the occassional flood of unsolicited SYN packets as part of my bandwidth usage (since, well, that's exactly what it is), which I will be rejecting anyway. I'll also be happy to sign whatever damages waiver agreement they come up with.
 
You must log in or register to reply here.
Top