We used to use Clearwire for a backup internet connection. We cannot afford to be off-line and Clearwire looked like a cost effective backup connection. While it was, the fact that Clearwire "managed" so many services forced us to stop using them. One major issue for us was that Clearwire was blocking traffic on specific ports that we need access to.

After speaking with their "tech-support" (who didn't know the difference between ICMP and TCP!) we determined they were not able to share with us the list of ports they blocked. Not to worry - we have a few machines in our data-center which are un-restricted and know how to use iptables to log traffic.

Clearwire's View on Blocked Ports

Our first step was to contact their "tech-support" (888-253-2794) to simply ask which serivces are blocked. Of course when we called they had unexpectedly high call volumes, so we had to wait roughly XXX minutes. Tech support was quite clear that services are not blocked they are managed. We also heard from tech-support that only port 80 is managed and they will not make any exceptions.

Determining Blocked Ports

Using one of our unrestricted servers in our Seattle data-center we scanned our machine. The scanning machine is a Super Micro octo-core running Gentoo with recent versions of the Linux kernel (2.6.27) and nmap (4.20). The machine being scanned was a Toshiba dual core laptop also running Gentoo 2.6.27. The laptop which was directly connected to the Clearwire modem had all network services stopped (output from netstat -anptu shows no listening ports). We used iptables (iptables -A INPUT -s [scanner ip] -j LOG]) to log the scanning.

From the scanning machine we ran a quick and dirty nmap scan and discovered 16 restricted ports.

hydrogen ~ # nmap -P0 -T3 75.92.252.130

Starting Nmap 4.20 ( http://insecure.org ) at 2009-03-01 17:25 PST
Interesting ports on 75-92-252-130.sea.clearwire-dns.net (75.92.252.130):
Not shown: 1681 closed ports
PORT     STATE    SERVICE
1/tcp    filtered tcpmux
25/tcp   filtered smtp
55/tcp   filtered isi-gl
77/tcp   filtered priv-rje
80/tcp   filtered http
135/tcp  filtered msrpc
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
411/tcp  filtered rmt
412/tcp  filtered synoptics-trap
427/tcp  filtered svrloc
445/tcp  filtered microsoft-ds
548/tcp  filtered afpovertcp
631/tcp  filtered ipp
3689/tcp filtered rendezvous

Nmap finished: 1 IP address (1 host up) scanned in 8.864 seconds

In Depth Scan

Then we ran a slightly more through scan and received the following information from nmap.

Interesting ports on 75-92-252-130.sea.clearwire-dns.net (75.92.252.130):
Not shown: 65516 closed ports
PORT     STATE    SERVICE
1/tcp    filtered tcpmux
25/tcp   filtered smtp
55/tcp   filtered isi-gl
77/tcp   filtered priv-rje
80/tcp   filtered http
135/tcp  filtered msrpc
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
411/tcp  filtered rmt
412/tcp  filtered synoptics-trap
427/tcp  filtered svrloc
445/tcp  filtered microsoft-ds
548/tcp  filtered afpovertcp
631/tcp  filtered ipp
3689/tcp filtered rendezvous
5298/tcp filtered unknown
5353/tcp filtered unknown
8770/tcp filtered unknown

Nmap finished: 1 IP address (1 host up) scanned in 1585.618 seconds
               Raw packets sent: 66528 (2.927MB) | Rcvd: 66120 (3.042MB)

From the resulting logs on the laptop, which were parsed with a simple PHP script we determined what iptables thought was not passed through. The script simply looks at what was passed through (and logged by iptables) and compares that to what was expected (all traffic).

Port 1 Skipped
Port 22 Skipped
Port 25 Skipped
Port 55 Skipped
Port 77 Skipped
Port 80 Skipped
Port 135 Skipped
Port 139 Skipped
Port 445 Skipped
Port 5070 Skipped
Port 5500 Skipped

We ran similar tests over multiple days with our Clearwire modem in different locations - North Seattle, Ballard, West-Seattle and Redmond. In each case the results were the same.

Conclusion

Clearwire blocks more in-bound traffic than they tell you they do. Dishonest providers are undesirable.