<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Sorry for the direct reply, not sure why my mail client decided
to reply to you and not the list. But I digress. <br>
<br>
A quick test to verify the carrier would be to plug in a web
server, even if its just a simple IIS or 3rd party server on a
laptop directly to the WAN in place of the firewall (and set to
the WAN address of the firewall) and see if you can hit it while
directly connected to the WAN. that will rule out your firewall if
you can hit the directly connected test server. <br>
<br>
And I feel your pain. The company I work for does CCTV and until
the vendor developed their mobile app, we had to bypass
residential blocks on port 80 by setting the NVR to talk on 81 and
teach the customer how to hit it by adding :81 to the end of the
DDNS address to bypass the ISP block. <br>
</p>
<div class="moz-cite-prefix">On 8/23/2019 10:21 PM, Fungal Style
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:A40A5D23-6D56-47D6-8486-CE5CD15BC20E@hotmail.com">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<div class="WordSection1">
<p class="MsoNormal"><span>Roy,</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Thanks for the reply…</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>I agree, I do not believe DNS can do
it (although I know there are some funky things that can be
done).</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Port 80 would be open on the carrier
for outbound traffic, but this particular carrier has
blocked unsolicited inbound traffic of specific ports like
port 25 and port 80 in the past (to block phishing sites,
spam, etc).</span></p>
<p class="MsoNormal"><span>Although when I enquired they advised
that it was open, although they were not specific and
<rant> this is what I hate about technical roles
outsourced to developing countries </rant> (ironically
I personally know people who work for some of the BPOs who
handle contact for this particular carrier, so I am VERY
sceptical they really know).</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>I have reviewed their firewall and to
me with enough knowledge to be dangerous, copied the same
rules which worked for port 443 and applied them to port 80,
changed order and various other ways to place a priority,
but to null effect, hence my suspicion for the provider
blocking, regardless of their claims.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>I am let to believe the service is a
“business grade” service, which is more about SLAs than
anything else. (it is a fixed wireless connection on the nbn
in Australia)</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>I did find references to others
having the port blocked and others not with the same
provider for port 80, however no one ever raised any issues
over port 443 or other obscure ports (mainly seen 25 and 80
being reported as blocked).</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>I have got another reply from Michael
which I need to look at closely and test, so I will post
here again once I have looked at it also.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>But as for IP tables, unless I wanted
to pass ALL traffic to the external server, from what I am
finding/reading it will not do it.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Regards</span></p>
<p class="MsoNormal"><span>Brian</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> </span></p>
<div>
<p class="MsoNormal"><b><span>From: </span></b><span>Roy
Urick <a class="moz-txt-link-rfc2396E" href="mailto:rurick@usa.net"><rurick@usa.net></a><br>
<b>Date: </b>Saturday, 24 August 2019 at 1:09 am<br>
<b>To: </b>Brian Carter <a class="moz-txt-link-rfc2396E" href="mailto:wayin@hotmail.com"><wayin@hotmail.com></a><br>
<b>Subject: </b>Re: [BlueOnyx:23157] Redirection and
forwarding, needing to redirect to a different server to a
different port, can this be done easily?</span><span></span></p>
</div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
<p>Pretty sure DNS cannot add a port number to a query response,
or even know what port the subsequent traffic is going to use.
It just is asked "what is the IP of this host" and the DNS
server responds.
<br>
<br>
I'd guess that if 443 is open, 80 is also open at the carrier
level. I dont know of any non business service providers that
block inbound 80 dont also block inbound 443 as well.
<br>
<br>
My gut says the firewall is misconfigured. You can always call
the ISP and ask if they are blocking any inbound ports. In my
experience they will all tell you whether they are or not. If
its not business class service they are probably blocking it.
But I cant imagine them not blocking both. </p>
<div>
<p class="MsoNormal">On 8/23/2019 10:02 AM, Fungal Style
wrote:</p>
</div>
<blockquote>
<p class="MsoNormal"><span>Hi all,</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Here is the situation, a website is
hosted with an on-premise server (I know, stupid idea, but
these guys are raised on *stoopid*, as in I bet their
parents took a double helping thing more is better), they
have port 80 blocked and port 443 open, so if you access
their site via HTTPS, it works fine, but drop the HTTPS
and use just HTTP, it fails, as port 80 is blocked.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Simple solution would be to change
their firewall right? Well I am not certain the issue is
with the firewall but the provider of the link to their
server, and the firewall is part of a fairly high end
router that you may need some additional training to
understand all of the features (I think it is one of the
Vanguards from memory, been a little bit since I last
looked at the configs).</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>So here is what I am thinking,
having a BO server handle the DNS requests, change the
port to port 443 and then forward the traffic to the IP
address of their on prem server, but I cannot think of a
good way to do this as I am thinking iptables but surely
there must be a better, (read as “easier way”) to do this
that I am just not seeing, as even with iptables I am not
sure I would be able to (could be a skills shortage on my
side if it is possible).</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Anyway, any thoughts or ideas on
how to do this are warmly received.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Regards</span></p>
<p class="MsoNormal"><span>Brian</span></p>
<p class="MsoNormal"><span><br>
<br>
</span></p>
<pre>_______________________________________________</pre>
<pre>Blueonyx mailing list</pre>
<pre><a href="mailto:Blueonyx@mail.blueonyx.it" moz-do-not-send="true">Blueonyx@mail.blueonyx.it</a></pre>
<pre><a href="http://mail.blueonyx.it/mailman/listinfo/blueonyx" moz-do-not-send="true">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a></pre>
</blockquote>
</div>
</blockquote>
</body>
</html>