[tor-relays] Comcast blocks ALL traffic with tor relays - probably firewall configuration; further tests

[xmrk2]

Starting from the most interesting info - another Comcast customer contacted me, lets call him CCB, and the first Comcast customer I mentioned previously will be CCA. CCB claims he had to disable some settings - probably "Advanced Security" - in his Comcast router, because before doing so, nobody was able to connect to his lightning node via IPv4 (clearnet, not tor). He claims to have done this back in July or August. We tested just today, and both sides were able to successfully initiate TCP connection, no blocking here. Importantly, at the same time I was not able to connect to CCA - timeout.

Chronology of tests, all times are in CEST.
around 18:00 yesterday - I started tor relay (non-exit, ExitPolicy reject *:*)
22:09 - it appeared as online on https://metrics.torproject.org/ . Started testing connection to CCA, using "socat -dd - TCP4:<CCA_ADDR>:<CCA_lightning_port>" every 5 minutes. Connected successfully.
07:07 - last successful connection to CCA
07:12 - first unsuccessful connection to CCA - timeout; all subsequent tests with CCA end with timeout
08:10 - stopped tor relay
13:09 - 13:14 - tests with CCB - both sides can connect
17:54 - still cannot connect to CCA
18:19 - connected to CCA from my mobile phone connection (so from another IP, which is not blacklisted, so we see CCA is not offline)
18:55 - still cannot connect to CCA

So port forwarding must be correct on CCA, or I would not be able to connect.

Now I think the blocking is real, probably on by default, but Comcast customers can opt-out.

Doubts / weaknesses of tests and theory:

- only tested with 2 Comcast users
- not sure about CCA's firewall settings - I just assume he has "Advanced Security" active
- my tests only cover connections from me to Comcast users. Not sure if this "Advanced Security" also blocks connections from Comcast users. On one hand, my lightning channel with CCA was inactive for a month or more, and CCA contacted me because of it. Lightning nodes want and try to connect to all peers they have channel with, automatically - so his node presumably tried to connect to mine. And lightning nodes publish their IP addresses, there are sites which show current IP addresses of lightning nodes, like https://1ml.com/node/030c3f19d742ca294a55c00376b3b355c3c90d61c6b6b39554dbc7ac19b141c14f (the link already points to a concrete node). My node should announce its IP addresses. So even if connection from me is blocked, he should initiate connection. Inactive channel means he was not successful, difficult to explain without blocking. OTOH, he claims he can connect to tor, so must be able to connect to at least some tor relay, not necessarily mine.

Any volunteer Comcast customers for further testing? Preferably without lightning nodes, because I'd like to test with this "Adv. security" active, and it may interfere with lightning node (or any other use-case which needs high uptime).

If my theory is correct, Comcast is slightly less evil than my very first post would suggest. Still evil, because this blocking has little to do with security - maybe blocking exit relays makes some sense, they can be misused to attacks, DDoS etc. But according to Comcast, merely running tor relay makes you a threat. And this so-called security is probably on by default (according to CCB) and "There are definitely popups all over the place telling me to turn it on". So it is probably not apparent that this setting blocks (some? most?) tor relays completely.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20230613/6f4a2c2a/attachment.htm>