ISP port blocking practice

Jared Mauch jared at puck.nether.net
Tue Nov 3 20:13:35 CST 2009


On Nov 3, 2009, at 8:51 PM, mark [at] edgewire wrote:

> Hi all,
>
> Just out of curiosity for those whom may manage Hotel Wifi networks  
> (I know I know, not really ISP level but since we're on the topic of  
> port blocking). Does anyone actually make an effort to be blocking  
> port 443? I've had that experience at a few Hotels in Philippines  
> and I can't think of a valid reason as to why those ports would be  
> dropping traffic. Would like to hear from anyone whom has had this  
> experience.

I've found that some public (eg: Hospital) networks have very  
draconian security policies on their guest wireless.  The University  
of Michigan hospitals block IMAP over SSL (tcp/993), SMTP-Submit (tcp/ 
587) and all the vpn software I had at my disposal.

This blocking is becoming more common to force people to HTTP/HTTPS  
ONLY based systems.  They make utilizing these networks from a mobile  
device hard, and quickly forget your mac authentication quickly and  
are overall poorly run (no feedback loop to get things unblocked that  
are legit).

I have found that I am having to vpn-out more often from these 'guest'  
networks to obtain "real" internet access.  I recommend running a few  
gateways (eg: pptp, ipsec, openvpn) to get around these issues.

(I have found some well run hotel networks that intercept tcp/3128 and  
send it to a local squid cache).

	- Jared




More information about the NANOG mailing list