Comment by jesprenj
13 days ago
Slovenian ISP T-2.net also violates local network neutrality laws here by requiring customers to pay extra to unblock some special TCP ports, like 25 and 53, meaning they block selfhosting email and dns servers without additional payment. I filed a complaint to the national regulator AKOS. They first responded with agreeing with me, but nothing was fixed for many months, and upon emailing the regulator again, I received a different response from another employee claiming that charging more for unblocking special applications is legal (it's not).
Another T-2 customer here. I never ran into issues with port blocking (but didn't try 25/53), even more, I had a "free" static IPv4 on DSL before we got the fiber line, but I've lately been noticing random connection slowdowns. Never had significant slowdowns with DSL.
I've talked to a few people (Telemach customers) who told me it happens every now and then, they call the support center that tells them to restart the modem (even if they'd done it before) and then the connection magically works at full speed again.
Could it just be that it all goes through Telekom Slovenije who does some weird load balancing? Definitely worth an investigation, but ZPS might be a better address for this than AKOS.
Telemach is also funny in net-neutrality regard:
Article 7.2 of their terms of service https://telemach.si/download/terms/splosni-pogoji-poslovanja...
> Naročnik se obvezuje, da po priključitvi na omrežje izvajalca: > ... > * ne bo postavljal strežnikov na svoji lokaciji, razen v primeru sklenitve ustreznega dogovora z izvajalcem, > ...
It states that customers are bound not to setup servers on their internet connection point without prior aproval by the ISP. It sounds against the law to forbid this, albeit ianal.
Calling this "paying to unlock ports" is disingenuous. I'm also a T-2 customer and have run into this before. They block ports on dynamic IPs, but if you pay +2€/mo for static, this is unlocked. This seems reasonable. If you're not paying for static IPv4, you're paying for "internet access", whether that's a rarely chaning dynamic IPv4, a constantly changing IPv4 or full CGNAT.
Would you also say your mobile phone operator is violating net neutrality by putting you behind CGNAT that you can't forward arbitrary ports through? You can pay a bunch of money to get a private APN and get public IPv4 addresses. Would you call that an unblock fee?
I've been told there's a law that my mobile phone operator has to turn off all firewalling on my connection if I ask.
I don't know about that law, but GP's point was that you don't get a public IP anyway, firewall or not. And with this NAT in place, you can't ask them to forward specific ports to your equipment.
In France, CG-NAT is getting widespread even for fixed, FTTH links. I'm typing this connected to SFR, which provides a static IPv6 /56, but IPv4 is behind CG-NAT. I can't host anything on IPv4. I think there's an option to get a fixed, internet routable address, but not on the "discount" plan I'm on. I hear you maybe can ask support to get you out of CG-NAT, but that doesn't seem very reliable.
Free (local ISP), by default, doesn't give a static IP for fiber, but you can ask for one for free through your online account page (you just need to tick a box).
> They block ports on dynamic IPs, but if you pay +2€/mo for static, this is unlocked. This seems reasonable.
Why does that seem reasonable to you? Why should dynamic IPs not be able to receive incoming connections? It costs them nothing to let those packets through.
> disingenuous
Bad.
> Would you also say your mobile phone operator is violating net neutrality by putting you behind CGNAT that you can't forward arbitrary ports through?
CGNAT is pretty awful, but at least there's a reason for connections to fail.
But sure, if I had control I would mandate that CGNAT lets you forward ports. Maybe you don't always control the external port, but there shouldn't be any other compromises.
> You can pay a bunch of money to get a private APN and get public IPv4 addresses. Would you call that an unblock fee?
That's a workaround to get a different connection, not an unblock, so no.
Firstly, dynamic IPs are quickly reused, so if one customer get an IP onto a bunch of firewall blocklists because they were operating services that got exploited (like an open relay for spam, email backscatter generator, dns that was used for amplification, smb that hosted on-click executable windows malware...), this means some random unrelatimg customer will now have problems with their internet connection. After a while, you could poison a large chunk of the pool, then they have to not just deal with you, but also a bunch of other angry customers as well as beg all the firewall vendors to unblock those IPs.
If you get static, you keep that IP for a while. You suffer the consequences of your bad setup, you have to deal with FW vendors and after you leave, the IP will be offline for long enough that it will probably "cool off".
And secondly, while I don't like it, we need to keep in mind net neutrality was not written for selfhosters. It was written so an ISP can't zero-rate their own streaming service, or block their competitors. It was about internet access, not internet participation. The ownerwhelmimg majority of people are not and don't care to be "on" the internet, they want to "access" things that are on the internet. That's why NAT is still everywhere.
1 reply →
Blocking port 25 is perfectly reasonable.
There are no sane and legitimate reasons for running an SMTP server on a residential connection. Even most server providers will block it unless you give them some very good reasons.
Blocking 53 is just weird though.
Define "residential connection".
There is no such thing. A connection to the internet should be equal to any other connection to the internet, modulo BGP peering. Noone has a right to dictate what services I run or don't run, what protocols I speak or don't speak, what traffic I accept or deny, but *me*. That's the whole point of being on the internet rather than Prodigy or Compuserve or something.
The physical location of that connection is irrelevant. Maybe I feel my servers are safer in a datacenter. Maybe I feel they're safer in my basement. In my case, it is very much the latter, and again, you don't get to make that call. I do.
> A connection to the internet should be equal to any other connection to the internet
It's not your connection. It's your ISPs. They are also their IPs.
> Noone has a right to dictate what services I run or don't run, what protocols I speak or don't speak, what traffic I accept or deny, but me. That's the whole point of being on the internet rather than Prodigy or Compuserve or something.
Then become your own ISP. Get an ASN (easy), acquire your own IPv4 and IPv6 space (also easy, but v4 is expensive), get a commercial connection that'll allow for BGP, and go ahead, do whatever you want with your IP addresses.
> The physical location of that connection is irrelevant.
It's not about the physical location, it's about who's IP addresses are you using. If they are not yours, the service provider has every right to restrict what you do with them.
I'm not sure you read the OP's comment in full. They are talking about inbound traffic from the Internet. It's certainly a lot more common a case to self-host an MX than running an open DNS resolver or authorative name server.
You may be surprised to learn that there are many types of botnets out there, and many use DNS queries for the C&C.
Although the GP wrote "53/tcp" that is a weird situation, because most (not all) DNS is over UDP.
One day I suddenly found my DNS resolver logs were very active with veritable gibberish. And it seems that my router had been pwned and joined some sort of nefarious botnet.
I only found this out because I was using NextDNS at the time, and my router's own resolver was pointed there, and NextDNS was keeping meticulous, detailed logs of every query.
So I nipped it in the bud, by determining which device it was, by ruling out other devices, and by replacing the infected demon router with a safe one.
But yeah, if your 53/udp or 25/tcp is open, you can pretty much expect to join a botnet of the DNS or SMTP-spam varieties.
2 replies →
Whether or not I have a sane reason to use port 25 is none of their business.