port 25 refused

Keith Lofstrom keithl at kl-ic.com
Tue Jul 20 15:10:14 UTC 2004


On Tue, 2004-07-20 at 01:06 -0700, Thornton wrote:
> Is this for a server or for home? If its for home your ISP may be
> blocking port 25.

I have a fairly robust solution for blocked ports.  I am working on
a writeup now, which should be at http://www.keithl.com/vpncolo.html
before Friday.

The idea is that you set up an external user-mode-linux co-location
site (typically about $20/mo) and put your published IP addresses 
and inbound services there.  Then you connect an outbound Virtual
Private Network from your internal network to the UML colo. 

Now you have only outbound services from your internal network, no
inbound.  If your broadband provider blocks ports ( 80=http 25=smtp
22=ssh ) you can terminate the blocked ports at the colo and send
blocked services through the VPN tunnel.  If your service provider
rapidly changes your dynamic IP address, or even if they NAT (Network
Address Translate) your feed,  you can STILL connect outbound.  The
only way your provider can really stop you is to greatly restrict
the outbound ports you can connect to, in which case normal
services don't work.  I figure if they (stupidly) cut me down to
ONLY outbound port 80, I could set up my colo with a second IP
address ($1/month extra) that connects port 80 to the VPN instead
of the httpd web server.  Your service provider CAN'T block
outbound port 80 without making their service useless.  

I send outbound smtp (mail) through the tunnel and out from the
UML colo.  While some sites filter spam based on the source IP
address, The net sees mail coming from the same address as my
inbound.  If I was to send my outbound through smtp.comcast.net,
I could also get blocked if the Realtime Blackhole Lists (RBL)
decide my provider (Comcast) is a spammer, which I avoid by 
ignoring the comcast mail server. 

I do Domain Name Service for my websites and colo with dyndns.org. 
If my colo provider gets weird, or spammers invade the same IP
address block and get the whole block listed in the RBS, I can
sign up with a different colo company, upload my colo contents
to the new colo (I back it up nightly with Dirvish, www.dirvish.org)
move DNS pointers (dyndns makes this easy), and I am on-the-air in
a new, good IP address neighborhood within a few hours.  

Yes, this costs extra money per month, and setup time, but it 
avoids all the TOS (terms of service) issues, puts my websites
on a fat pipe, adds major flexibility, and increases security.
And if your server needs are modest, one UML colo can be shared
by many different individual sites, reducing cost further.

Again, I am working on a writeup, and I hope to provide a cookbook
for setting up a VPN-connected colo, which you can critique and use.

Keith

-- 
Keith Lofstrom           keithl at ieee.org         Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs





More information about the users mailing list