We used to use Clearwire for a backup internet connection. We cannot afford to be off-line and Clearwire looked like a cost effective backup connection. While it was, the fact that Clearwire "managed" so many services forced us to stop using them. One major issue for us was that Clearwire was blocking traffic on specific ports that we need access to.
After speaking with their "tech-support" (who didn't know the difference between ICMP and TCP!) we determined they were not able to share with us the list of ports they blocked.
Not to worry - we have a few machines in our data-center which are un-restricted and know how to use iptables
to log traffic.
Clearwire's View on Blocked Ports
Our first step was to contact their "tech-support" (888-253-2794) to simply ask which serivces are blocked. Of course when we called they had unexpectedly high call volumes, so we had to wait roughly XXX minutes. Tech support was quite clear that services are not blocked they are managed. We also heard from tech-support that only port 80 is managed and they will not make any exceptions.
Determining Blocked Ports
Using one of our unrestricted servers in our Seattle data-center we scanned our machine.
The scanning machine is a Super Micro octo-core running Gentoo with recent versions of the Linux kernel (2.6.27) and nmap (4.20).
The machine being scanned was a Toshiba dual core laptop also running Gentoo 2.6.27.
The laptop which was directly connected to the Clearwire modem had all network services stopped (output from netstat -anptu
shows no listening ports).
We used iptables (iptables -A INPUT -s [scanner ip] -j LOG]) to log the scanning.
From the scanning machine we ran a quick and dirty nmap scan and discovered 16 restricted ports.
hydrogen ~ # nmap -P0 -T3 75.92.252.130 Starting Nmap 4.20 ( http://insecure.org ) at 2009-03-01 17:25 PST Interesting ports on 75-92-252-130.sea.clearwire-dns.net (75.92.252.130): Not shown: 1681 closed ports PORT STATE SERVICE 1/tcp filtered tcpmux 25/tcp filtered smtp 55/tcp filtered isi-gl 77/tcp filtered priv-rje 80/tcp filtered http 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 411/tcp filtered rmt 412/tcp filtered synoptics-trap 427/tcp filtered svrloc 445/tcp filtered microsoft-ds 548/tcp filtered afpovertcp 631/tcp filtered ipp 3689/tcp filtered rendezvous Nmap finished: 1 IP address (1 host up) scanned in 8.864 seconds
In Depth Scan
Then we ran a slightly more through scan and received the following information from nmap.
Interesting ports on 75-92-252-130.sea.clearwire-dns.net (75.92.252.130): Not shown: 65516 closed ports PORT STATE SERVICE 1/tcp filtered tcpmux 25/tcp filtered smtp 55/tcp filtered isi-gl 77/tcp filtered priv-rje 80/tcp filtered http 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 411/tcp filtered rmt 412/tcp filtered synoptics-trap 427/tcp filtered svrloc 445/tcp filtered microsoft-ds 548/tcp filtered afpovertcp 631/tcp filtered ipp 3689/tcp filtered rendezvous 5298/tcp filtered unknown 5353/tcp filtered unknown 8770/tcp filtered unknown Nmap finished: 1 IP address (1 host up) scanned in 1585.618 seconds Raw packets sent: 66528 (2.927MB) | Rcvd: 66120 (3.042MB)
From the resulting logs on the laptop, which were parsed with a simple PHP script we determined what iptables thought was not passed through. The script simply looks at what was passed through (and logged by iptables) and compares that to what was expected (all traffic).
Port 1 Skipped Port 22 Skipped Port 25 Skipped Port 55 Skipped Port 77 Skipped Port 80 Skipped Port 135 Skipped Port 139 Skipped Port 445 Skipped Port 5070 Skipped Port 5500 Skipped
We ran similar tests over multiple days with our Clearwire modem in different locations - North Seattle, Ballard, West-Seattle and Redmond. In each case the results were the same.
Conclusion
Clearwire blocks more in-bound traffic than they tell you they do. Dishonest providers are undesirable.