Page 1 of 1
Optonline http server
Posted: Thu Oct 26, 2006 3:57 pm
by Ambush Commander
I got a clever idea: I've got a static IP address and a reasonable upload speed, so why not make my local SVN server available to the WWW (though still password protected)? This way, I can do development away from home!
So after much wrangling with port forwarding and Apache configuration, I finally opened up port 1990 to the public (80 and 8080, for reasons then unknown to me, didn't work). All was good.
Then, the next day, I attempted to access it, and it was borked! My IP address wouldn't respond! After much hacking, I realized that my ISP Optonline had blocked that port. I opened another one and things worked like a charm.
However, I suspect that I won't have that port much longer either. There's lots of possible ports to use, but it'll be a pain to have to reconfigure Apache every time one gets blocked. So I ask ye': is there any way to do equivalent functionality? Remote desktop is great, but occasionally LogMeIn is blocked and it's no good for file transfers.
Posted: Thu Oct 26, 2006 4:08 pm
by timvw
Can't you find out the addresses your isp uses to probe your ports? This way you can deny those (usually a range).... while you (typically not in that range, since you're "away from home") can still use the service

Posted: Thu Oct 26, 2006 4:10 pm
by Ambush Commander
Mmm... that would be really smart. I'll have to start paying closer attention to my logs then.
Posted: Thu Oct 26, 2006 4:19 pm
by Ambush Commander
Apache hasn't reported any access attempts outside of IP addresses I know about. Does that mean they're not really probing, or that probing doesn't require Apache's involvement?
Posted: Thu Oct 26, 2006 4:21 pm
by feyd
Apache would only report for the ports it listens to.
Posted: Thu Oct 26, 2006 4:31 pm
by Ambush Commander
Yes, but Optonline wouldn't know about open webservers unless it probed the ports that Apache was listening too...
Posted: Fri Oct 27, 2006 12:40 am
by timvw
Afaik apache only logs http request... All your isp has to do is send a tcp/ip packet with the syn bit set... And see if they recieve a packet with the syn/ack bit set back... from that point they can presume there is something running on that port...
Posted: Fri Oct 27, 2006 7:57 pm
by Ambush Commander
Yes, but presumably if they only check for open ports, they won't know whether or not a server is running there are not. The other possibility is that they block all open ports, but that's highly unlikely.
Posted: Fri Oct 27, 2006 8:12 pm
by nickvd
Has there been a flurry of incoming activity? They won't need to probe you if they can just look at their router logs and see lots of inbound connection attempts to your ip:80
Posted: Fri Oct 27, 2006 8:14 pm
by Ambush Commander
Nope. It's entirely personal, and I've only used to a few times before.
Posted: Fri Oct 27, 2006 8:28 pm
by nickvd
You may want to give them a call... Running a personal server on your own personal connection that you are personally paying for shouldn't be against their TOS... They may just need to set a flag on your account to allow (certain) open ports (assuming it's an automated process on their end.)
Most ISP's, mine included (they block all in/out on port 25 and port 113 (smtp/pop) to servers other than their own, preventing me from running my own mail server, yet they've 'let' me run a web server for nearly 3 years now... huh?) block a lot of the standard server ports to prevent you from using your connection to run a terabyte kiddie porn ftp dump...
Most of the time, upgrading your account to a "business" class account will remove most of the restrictions (along with a little extra weight from your wallet)
Posted: Fri Oct 27, 2006 9:29 pm
by Ambush Commander
Oh, this is rich. It's not my ISP. It's my Zone Alarm firewall!

For some reason, it doesn't start blocking newly opened ports until I reboot, which is why the ports seem to close like hotcakes. I need to figure out to stop this while keeping the firewall up.
Posted: Fri Oct 27, 2006 10:24 pm
by nickvd
/me slaps AC upside the head with a trout
ZA will let you open ports thru the firewall, just allow incoming connections to the port you have svn on... (you can also filter by ip address, so you can only allow work ip's thru)