Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why do browsers block some ports?

I'm playing around with websockets and it appears, that all browsers with native websocket support I tested with (Safari, Chrome) block some ports. If I try to connect to my server over port 80, everyting works fine. If I try other ports, like 81, 82 or 1000, the connection is prematurely closed because there's nothing on the other end. That's the expected behaviour and it works beautifully.

However, with some ports (such as 20, 37 or 79), the Chrome developer console simply says WebSocket port 79 blocked but my JS code doesn't receive any information about this (not even some sort of timeout). Safari is a little more verbose and comments SECURITY_ERR: DOM Exception 18: An attempt was made to break through the security policy of the user agent.

So my questions are these:

How can I reliably detect that a port is blocked?
Do I have to set a timeout and check that manually? That doesn't seem to be the smartest way to go about it, although it might be the only way to do it cross-browser.

Where can I find a list of the blocked ports?
My Google search didn't turn up anything useful, unfortunately.

Why are these ports blocked in the first place?

Thanks in advance!

like image 696
n3rd Avatar asked Nov 30 '10 11:11

n3rd


3 Answers

Okay, I found the answer. Sometimes you just don't see the forest for the trees.

First off, handling cases of blocked ports is trivial. A simple try/catch does the trick. I was simply confused by the way Chrome displayed that exception and didn't recognize it as such right away (I usually use Firefox).

Secondly, the WebSockets API Specification explicitly states that

If port is a port to which the user agent is configured to block access, then throw a SECURITY_ERR exception. (User agents typically block access to well-known ports like SMTP.)

What ports exactly are meant by that appears to be up to the browser's Websocket implementation. My tests have shown that Chrome and Safari block the following ports (only ports below 1024 were tested):

  • 1: TCPMUX
  • 7: Echo Protocol
  • 9: Discard Protocol
  • 11: systat service
  • 13: Daytime Protocol
  • 15: Netstat service
  • 17: Quote of the Day
  • 19: Character Generator Protocol
  • 20: FTP
  • 21: FTP
  • 22: SSH
  • 23: Telnet
  • 25: SMTP
  • 37: TIME protocol
  • 42: nameserver/WINS
  • 43: WHOIS
  • 53: DNS
  • 77: RJE Service
  • 79: Finger
  • 87: link
  • 95: supdup
  • 101: NIC host name
  • 102: ISO-TSAP
  • 103: gppitnp
  • 104: ACR/NEMA
  • 109: POP2
  • 110: POP3
  • 111: SunRPC
  • 113: ident
  • 115: SFTP
  • 117: UUCP Path Service
  • 119: NNTP
  • 123: NTP
  • 135: Microsoft EPMAP
  • 139: NetBIOS Session Service
  • 143: IMAP
  • 179: BGP
  • 389: LDAP
  • 465: Cisco protocol
  • 512: comsat
  • 513: rlogin
  • 514: Syslog
  • 515: Line Printer Daemon
  • 526: tempo
  • 530: RPC
  • 531: IRC
  • 532: netnews
  • 540: UUCP
  • 556: RFS
  • 563: NNTPS
  • 587: SMTP
  • 601: unknown
  • 636: LDAPS
  • 993: IMAPS
  • 995: POP3S

The associated services are taken from the list of TCP and UDP port numbers on Wikipeda.

like image 90
n3rd Avatar answered Oct 11 '22 13:10

n3rd


For the completeness of the answer, a more complete list can be found on those links :

  • http://www-archive.mozilla.org/projects/netlib/PortBanning.html
  • http://code.google.com/p/browsersec/wiki/Part2#Port_access_restrictions
like image 24
Nibbler Avatar answered Oct 11 '22 11:10

Nibbler


To add a fresh list to the old question:

https://chromium.googlesource.com/chromium/src.git/+/refs/heads/master/net/base/port_util.cc

// The general list of blocked ports. Will be blocked unless a specific
// protocol overrides it. (Ex: ftp can use ports 20 and 21)
const int kRestrictedPorts[] = {
    1,       // tcpmux
    7,       // echo
    9,       // discard
    11,      // systat
    13,      // daytime
    15,      // netstat
    17,      // qotd
    19,      // chargen
    20,      // ftp data
    21,      // ftp access
    22,      // ssh
    23,      // telnet
    25,      // smtp
    37,      // time
    42,      // name
    43,      // nicname
    53,      // domain
    77,      // priv-rjs
    79,      // finger
    87,      // ttylink
    95,      // supdup
    101,     // hostriame
    102,     // iso-tsap
    103,     // gppitnp
    104,     // acr-nema
    109,     // pop2
    110,     // pop3
    111,     // sunrpc
    113,     // auth
    115,     // sftp
    117,     // uucp-path
    119,     // nntp
    123,     // NTP
    135,     // loc-srv /epmap
    139,     // netbios
    143,     // imap2
    179,     // BGP
    389,     // ldap
    427,     // SLP (Also used by Apple Filing Protocol)
    465,     // smtp+ssl
    512,     // print / exec
    513,     // login
    514,     // shell
    515,     // printer
    526,     // tempo
    530,     // courier
    531,     // chat
    532,     // netnews
    540,     // uucp
    548,     // AFP (Apple Filing Protocol)
    556,     // remotefs
    563,     // nntp+ssl
    587,     // smtp (rfc6409)
    601,     // syslog-conn (rfc3195)
    636,     // ldap+ssl
    993,     // ldap+ssl
    995,     // pop3+ssl
    2049,    // nfs
    3659,    // apple-sasl / PasswordServer
    4045,    // lockd
    6000,    // X11
    6665,    // Alternate IRC [Apple addition]
    6666,    // Alternate IRC [Apple addition]
    6667,    // Standard IRC [Apple addition]
    6668,    // Alternate IRC [Apple addition]
    6669,    // Alternate IRC [Apple addition]
    6697,    // IRC + TLS
};
like image 27
HolgerJeromin Avatar answered Oct 11 '22 12:10

HolgerJeromin