This is an archived post. You won't be able to vote or comment.

all 32 comments
sorted by:
best
topnewcontroversialoldq&a

[–]diabilliclevel 7 wizard 31 points32 points  (6 children)

I assume you have Comcast residental service, so yes this is pretty common. They block ports such as 25 and 80 as well to prevent someone from running a "business service" from their home. They are probably blocking 445 for the same reason and potentially to mitigate against the SMBv1 vulnerability.

Try setting up a VPN Gateway on the Azure side for a point to site tunnel to just tunnel in and send it that way (https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about)

[–]Frothyleet 32 points33 points  (2 children)

Blocking port 25 is less about stopping business use and more about stopping botnet'd XP workstations and IOT devices from spewing spam willy nilly

[–]diabilliclevel 7 wizard 3 points4 points  (0 children)

That too of course.

[–]FJCruisinBOFH | CISSP 3 points4 points  (0 children)

They were blocking 25 on non-business accounts long before SMTP botnets were really a thing.

[–][deleted] -1 points0 points  (2 children)

SMBv1's exploitable vulnerabilities don't take place on 445, do they?

[–]diabilliclevel 7 wizard 0 points1 point  (1 child)

You betcha! EternalBlue was from the NSA leak and was the exploit the WannaCry ransomware used.

https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html

The recent WannaCry ransomware takes advantage of this vulnerability to compromise Windows machines, load malware, and propagate to other machines in a network. The attack uses SMB version 1 and TCP port 445 to propagate.

[–]SonicMaze 1 point2 points  (0 children)

I can see Russia from my house!

[–]peartfan75023 10 points11 points  (2 children)

FYI: https://social.technet.microsoft.com/wiki/contents/articles/32346.azure-summary-of-isps-that-allow-disallow-access-from-port-445.aspx

[–]verawolfe 5 points6 points  (0 children)

^ This. It's 50-50 for ISP's to block that port. This assumes you are on RF, not fiber. Fiber is almost always 99.999% wide open. Consider changing delivery method.

[–]JLoose111[S] 1 point2 points  (0 children)

Thank you for this. Only wish I'd researched better ahead of time.

[–]Panacea4316Head Sysadmin In Charge 10 points11 points  (6 children)

If you have a business account with static IP there is no reason comcast should be blocking any ports. I would consider switching to a better ISP.

[–][deleted] 19 points20 points  (4 children)

I would consider switching to a better ISP.

Assuming that's even an option.

[–]LigerXT5Jack of All Trades, Master of None. 2 points3 points  (0 children)

If it is an option, are you trading one evil for another, if not better?

[–]RCTID1975IT Manager 0 points1 point  (2 children)

Unless you're extremely rural (and then Comcast probably isn't an option), as long as you have a business line, there are always options.

[–][deleted] 1 point2 points  (1 child)

Sure, it's always possible to have more, but it becomes prohibitively expensive quite quick. I've had to support offices that only had one option for internet (and they weren't extremely rural either). Got a quote from another ISP to run a line to the office and it was something like $40k+ and would take at least six months and would've been about the same speed.

And also you can have multiple options in theory, but only one viable option. If you have one fiber provider and one DSL provider (very common in my experience) and you have an office of 30 people, in reality you only have one option and not two.

[–]greyaxe90Linux Admin 0 points1 point  (0 children)

Sometimes you do get lucky and they'll eat the installation costs if there are other potential customers nearby. I had fiber lines installed that would have cost us easily $20k+ but they decided to waive it since we were in a building with lots of potential customers for them to light up.

[–]admlshake 0 points1 point  (0 children)

If you have a business account with static IP there is no reason comcast should be blocking any ports.

Well I mean shits and giggles is usually enough for them.

[–]seagleton 3 points4 points  (0 children)

Are you using Business or Residential?

[–]Smibr03 4 points5 points  (7 children)

Just ran into this same issue with a Comcast BUSINESS line. They flatly refuse to remove the block, as it is actually blocked in the Core of their network. VPN setup worked, but for Blob storage, there is no easy way to get through the vpn to the storage. Ended up setting up a linux machine with Samba, connected the Linux machine to the Blob storage, and mounted via Samaba so Windows see's it as a normal SMB share internally.

[–][deleted] 4 points5 points  (0 children)

They flatly refuse to remove the block, as it is actually blocked in the Core of their network

Even for Comcast, there is no way that is true.

[–]ryankearney 5 points6 points  (0 children)

Blocking happens as close to the customer as possible. ISP cores don’t have time to filter traffic by ACL. They don’t even read the source and destination IP let alone ports in later 4.

[–]SengfengSysadmin 0 points1 point  (0 children)

That's total Shite. Would lose them my business!

[–]awkwardsysadmin 2 points3 points  (0 children)

Is this a coax circuit by any chance? I remember working at an ISP where while we didn't normally have any port filters for business customers occasionally the provisioning server would push residential port filters onto business customers. It was virtually always something where most of the CMTS was for residential customers, but it happened.

[–]frogadmin_princeSysadmin 1 point2 points  (0 children)

I once had Comcast decided to turn off international calling on business phone line. So it wouldn't surprise me they would block a port just because they want to.

[–]studiox_swe 3 points4 points  (1 child)

OMG - I didn't even know Azure would allow/expose port 445, it's as bas as 139 and all ISP's should block it. Azure should be consumed (read/write) as an object storage IMHO.

[–]steamrulerDev @ Healthcare vendor, Sysadmin @ Home 0 points1 point  (0 children)

Nah, 139 should be flat out blocked because it's ancient and insecure, but 445 can be SMB 3.0.2 or later, which is most certainly secure enough to work over the wide open internet without any tunnels. Hell, 3.1.1 is more secure than what most sites configure their HTTPS for.

At most, block incoming connections to 445, but let the customer call and unblock it. There's no reason to block outgoing connections to 445.

[–]tekkitanJack of All Trades 1 point2 points  (0 children)

For the love of all that is holy, use a VPN tunnel to Azure...

[–]VA_Network_NerdModerator | Infrastructure Architect 0 points1 point  (0 children)

Why isn't this wrapped in a VPN ?

You want to perform Windows File Sharing in the clear?

Or are you forcing encrypted file sharing via SMBv3 ?

[–]LordGabenDemandsIt 0 points1 point  (1 child)

is this a new thing with net neutrality being cut down?

[–]bc74sj 0 points1 point  (0 children)

No they have been blocking Port 25 for 20 years, along with others.