05/13/03 Ftp With Firewall in Place

[thecomputerpro]

Quote:

Originally posted by dwhite
thecomputerpro, you of all people should realize that there are several ways to configure internal network security, some to address specific problems that another network is not having to deal with. To say that someone's network is not decent because it does not automatically work with a change like this that was not announced ahead of time is very unprofessional. I'm willing to deal with what is my responsibility, and I'm not unhappy that Matrix is trying to provide better security. But changes like this can produce unexpected results, and because it was initiated by them, I feel that they should take some responsibility in working through the issues that crop up.

P.S. I will add, that so far, they have been working with us. Cheers!

OK.. Did not mean to come off as "unprofessional". Maybe a little more forwarning from Matrix would have helped. Yes, I do know there are many ways to address internal network security and all I meant to say really was, instead of just pointing at Matrix and tell them to fix it, take just a sec and look at your config to see if it might be contibuting.

And yes, I believe Matrix will put forth their best effort to find the balance between security on their network and customers needs.

hi, this is my first post, altough i'm following it since some time. i'm quite wondering about this situation... wondering enough to reply.

1) is zys offline since hours at least partially? yes it seems so
2) did matrix change fw settings without prior notice? yes it seems so
3) is it normal to get angry after beeing offline for a long time? yes indeed
4) is it normal not to get any phone answer when a customer having problems calls? not at all
5) is it normal that a customers hangs partially offline for hours, and then gets accused to be rude? its ridicoulus!

reading stuff like: "See, there you go again with the sarcasm. I gotta say, if you were a customer of MY site I would probably not reply to you for hours because being rude is not the way to get someone to help you. At least it doesn't work with me." makes me really laugh! vixenshop.com is this a way to do business? I guess you should learn one very important business rule: if you fail to provide the service the customer pays for, YOU have to fix it, to answer to all the tickets and to fix that asap. if you don't... YOU fail... and its obvious a customer gets angry...

rude? do you call this rude? you should see me in a situation like this

[admin]

zye, your IP range for 65.57.228.XXX is wide open. We have not made any changes to your IPs. I can't ping your IPs from inside the network so there maybe something up with your cobalt. Have you tried just rebooting it, It may keep an arp table on the cobalt and it may be messed up or not getting the right info. If you send in a ticket with your login info to your server we can login and take a closer look as nothing on our side seems to be wroung.


Alan should be posting the config here for your IPs as well so that you can see we are not blocking any thing for your IPs. You are the only one having this issue as well. If it was an IP thing it would be 2 full C blocks doing it not just 10IPs having an issue if it was something on our side..

I went in and gave full access to this cobalt server this morning, and just added all your other ips as well under a default "allow everything" for all these.

You might want to check your server as I have set the acl to permit all traffic especially to your ip's, as you can see from the snippet from the config file.
(permit) (every prtocol) (anything) (destination) , There is no reason why 1 would work and not the others.

[admin]

Quote:

Originally posted by protector
hi, this is my first post, altough i'm following it since some time. i'm quite wondering about this situation... wondering enough to reply.

1) is zys offline since hours at least partially? yes it seems so
2) did matrix change fw settings without prior notice? yes it seems so
3) is it normal to get angry after beeing offline for a long time? yes indeed
4) is it normal not to get any phone answer when a customer having problems calls? not at all
5) is it normal that a customers hangs partially offline for hours, and then gets accused to be rude? its ridicoulus!

reading stuff like: "See, there you go again with the sarcasm. I gotta say, if you were a customer of MY site I would probably not reply to you for hours because being rude is not the way to get someone to help you. At least it doesn't work with me." makes me really laugh! vixenshop.com is this a way to do business? I guess you should learn one very important business rule: if you fail to provide the service the customer pays for, YOU have to fix it, to answer to all the tickets and to fix that asap. if you don't... YOU fail... and its obvious a customer gets angry...

rude? do you call this rude? you should see me in a situation like this

He did not have to wait, 20min after he IMed I was already working on his issue. Him saying that we are not helping him is just untrue.. He has not been offline for hours due to something we have done. We don't have logins to his system and he never gave them to us.. 1/2 of his IPs are working then anther 1/2 are not.. Only way we can tell whats going on is maybe login in to his system..

[zye]

high ports are open again

justs did a reboot - now it seems that everything is working again - after 5 hours

zye

[admin]

That would of been the first thing I tried.. Sorry I did not tell you to try that on ICQ I guess I thought you would of tried that if just 1/2 your IPs were not working. But as I said it was not something we did, we had not even made any changes at 8 something am when you IMed me..

[zye]

i did reboot about 4 hours ago cause i thought somehow ?? ssh crashed - nothing changend back then

zye

sorry, I'm not here to protect zye or somebody... but beeing unable to ssh because ssh runs on a high port which matrix did just lock out without prior notice... well this is really not funny... and if this issue took so long... well I can perfectly understand zye getting angry.

anyway... glad to see that this issue is solved but please allow two give you my 2 cents

- before closing certain ports it's a must for any ISP to give a prior notice of at least 1 week

- I don't think its a good idea to post IP address of your customers in this forum, even if you have quite strong firewall settings

[admin]

protector, we posted here on this forum and sent out 3 emails to all customer..

The ssh port 22 is always been open or we would not be able to get in. We also asked customers to emails if they ran custom ports or needed them to be all open, we just never got one from him.


Also it was not some thing we could fix with out access to his server, it was not something we did.. He just posted before it did not work, he reboots then it works. Sorry but to me thats an issue on the server not the network we could not even ping him so it had nothing to do with posts being block, heck we could not even ping him inside the network with no firewall..

[zye]

just to clarify this :

i got the first notice about firewall on the 13. May at 9:30 pm wich says

Quote:

As of 1:30 this afternoon the firewall is in place and i think I'm about done changing the configuration. As such you will have to use port ftp, not passive ftp to use this service. Passive is now disabled because of the range of ports it was using. We will now have a more secure network with real time tracking of all logs .

now i dont think the mistake is on my side ( serverside ) sure it is not

but u know - i dont even care - this forum is a joke and 4:15 hours to reply to a support ticket well i guess you get the idea if not - ha - i dont care too

whatever as you americans say

cheers
zye

[admin]

The forums a joke, we don't replies to ticket, I did not help you ICQ..

I just don't get you..

[May 14, 2003 8:29:59 AM] You sent in a ticket
[May 14, 2003 12:46:33 PM] We replied to your ticket that we opened all ports..

The reason it took some time for the replie was I was working with the router techs trying to find any thing wrong and we never did, even after we opened your IPs wide open before your reboot it still did not work, it also did not work from inside the network as I told you..


Here is the problem I have with your store here.. You said your self you run SSH on a higher port ok thats fine I understand why that would not work. But you never SAID a thing about this on ICQ to me. You also never said any thing about this in your tickets..

Now ping has always been allowed to pass though our router to any and all IPs, but I could not ping your server on any of the IPs you gave me on ICQ.. I am still waiting for you to give me some kind of hint or idea how this could of been something we did.

Then we opened all ports at 12:46:33 PM then you rebooted at 01:38 PM and said it all worked then. Well I know SSH would work at this point but ping should of worked before that unless you run ping on some other port then 7 that has always been open. That’s my issue here, you said you could not ping the server and that the IPs were down, but there is no way this was done on our side as PING is open for every server and we would of never blocked ping for just your IPs as I had no idea what your IPs were till you IMed me.

So if the only thing custom you are running is SSH on a high port why was SMTP, POP3, FTP, PING, HTTP or any thing else not work.. We did not block any of them.. That is why I am lost. I have tired to help you but you do seem to have bit of a temper. I don't blam you for being upset but I am just not seeing how any thing we did caused your issue. There is just no way 15 IPs of a CBlock would stop working and every thing else around it work 100% fine in that same Cblock unless there was an issue on your server plan and simple I am sorry, but unless some one else can prove me wrong or you can prove me wrong I would be happy to give you a credit for the full month for the issue if we did something wrong...

If all of your IPs did not work I might see how we could of done it but only half of your IPs did not work on your server.. So you could ping, HTTP, FTP, SMTP, POP3 to half of your IPs but not the other half.. The blocking was network wide not just to the 65.57.2xx range or 216.157.1xx rang. That’s why I am lost as to why your still saying it was us.

Quote:

Originally posted by zye
just to clarify this :

i got the first notice about firewall on the 13. May at 9:30 pm wich says



now i dont think the mistake is on my side ( serverside ) sure it is not

but u know - i dont even care - this forum is a joke and 4:15 hours to reply to a support ticket well i guess you get the idea if not - ha - i dont care too

whatever as you americans say

cheers
zye

Now that was just uncalled for

[admin]

Quote:

Originally posted by zye
just to clarify this :

i got the first notice about firewall on the 13. May at 9:30 pm wich says



now i dont think the mistake is on my side ( serverside ) sure it is not

but u know - i dont even care - this forum is a joke and 4:15 hours to reply to a support ticket well i guess you get the idea if not - ha - i dont care too

whatever as you americans say

cheers
zye

Also I guess you just missed this email and post we sent out to everyone??

Starting on Monday May 12th I will be making some security changes to our cisco firewall. We will only be allowing certain ports as well as protocols to enter the network. I am compiling the ACL with the other admins as well as psoft to get a current list of the ports to leave open, i.e. inbound as well as outbound, double-checking that I didn't miss any. I will be running the configuration tonight on my own cisco rack @ home to ensure capadibility. If however during the course of the modifications you notice that a certain port was missed you can email support@vortechhosting as we will be monitoring this throughout the upgrade if we missed one. As I will be at the console port during configuration, there should only be a momentary reload of the router as I save the config to flash.

Just submit the port as well as the service you need and i can fix it immediatly. i.e.

Examples:

port needed:22
Reason/Service:ssh

port needed:23
Reason/Service:telnet

[prime]

First of all I want to say thanks to Vortech for keeping these forums open even though the level of conversation degrades from time to time. They are worth it

Ontopic now: I just spent a considerable amount of time and effort with a client who was unable to FTP. It turned out his local firewall was preventing access and he had to go through the trouble of reconfiguring it. I know many clients (especially in larger organizations) who wouldn't be able to do this. They would have to quit hosting with me, period.

This has the potential of being a huge problem: what happens if someone signs up and both client and reseller end up wasting time and money only to find out that hosting is impossible given the FTP constraints for that client? Client in unhappy, reseller is unhappy.

I think a few posters near the beginning of this thread had some ideas on how opening some of those higher ports could be done with minimal risk. Right now I'd really like to see these examined -- the hassle and expense in not having passive ability may be higher than the savings associated with totally blocking those ports.

If the decision is made to keep things the way they are, we're going to have to come up with some way of making sure clients are aware of this limitation (and can test for it) before they begin the signup process.