Why do browsers block some ports?
I'm playing around with websockets and it appears, that all browsers with native websocket support I tested with (Safari, Chrome) block some ports. If I try to connect to my server over port 80, everyting works fine. If I try other ports, like 81, 82 or 1000, the connection is prematurely closed because there's nothing on the other end. That's the expected behaviour and it works beautifully.
However, with some ports (such as 20, 37 or 79), the Chrome developer console simply says WebSocket port 79 blocked
but my JS code doesn't receive any information about this (not even some sort of timeout). Safari is a little more verbose and comments SECURITY_ERR: DOM Exception 18: An attempt was made to break through the security policy of the user agent.
So my questions are these:
How can I reliably detect that a port is blocked?
Do I have to set a timeout and check that manually? That doesn't seem to be the smartest way to go about it, although it might be the only way to do it cross-browser.Where can I find a list of the blocked ports?
My Google search didn't turn up anything useful, unfortunately.Why are th开发者_高级运维ese ports blocked in the first place?
Thanks in advance!
Okay, I found the answer. Sometimes you just don't see the forest for the trees.
First off, handling cases of blocked ports is trivial. A simple try/catch
does the trick. I was simply confused by the way Chrome displayed that exception and didn't recognize it as such right away (I usually use Firefox).
Secondly, the WebSockets API Specification explicitly states that
If port is a port to which the user agent is configured to block access, then throw a SECURITY_ERR exception. (User agents typically block access to well-known ports like SMTP.)
What ports exactly are meant by that appears to be up to the browser's Websocket implementation. My tests have shown that Chrome and Safari block the following ports (only ports below 1024 were tested):
- 1: TCPMUX
- 7: Echo Protocol
- 9: Discard Protocol
- 11: systat service
- 13: Daytime Protocol
- 15: Netstat service
- 17: Quote of the Day
- 19: Character Generator Protocol
- 20: FTP
- 21: FTP
- 22: SSH
- 23: Telnet
- 25: SMTP
- 37: TIME protocol
- 42: nameserver/WINS
- 43: WHOIS
- 53: DNS
- 77: RJE Service
- 79: Finger
- 87: link
- 95: supdup
- 101: NIC host name
- 102: ISO-TSAP
- 103: gppitnp
- 104: ACR/NEMA
- 109: POP2
- 110: POP3
- 111: SunRPC
- 113: ident
- 115: SFTP
- 117: UUCP Path Service
- 119: NNTP
- 123: NTP
- 135: Microsoft EPMAP
- 139: NetBIOS Session Service
- 143: IMAP
- 179: BGP
- 389: LDAP
- 465: Cisco protocol
- 512: comsat
- 513: rlogin
- 514: Syslog
- 515: Line Printer Daemon
- 526: tempo
- 530: RPC
- 531: IRC
- 532: netnews
- 540: UUCP
- 556: RFS
- 563: NNTPS
- 587: SMTP
- 601: unknown
- 636: LDAPS
- 993: IMAPS
- 995: POP3S
The associated services are taken from the list of TCP and UDP port numbers on Wikipeda.
To add a fresh list to the old question:
https://chromium.googlesource.com/chromium/src.git/+/refs/heads/master/net/base/port_util.cc
// The general list of blocked ports. Will be blocked unless a specific
// protocol overrides it. (Ex: ftp can use ports 20 and 21)
const int kRestrictedPorts[] = {
1, // tcpmux
7, // echo
9, // discard
11, // systat
13, // daytime
15, // netstat
17, // qotd
19, // chargen
20, // ftp data
21, // ftp access
22, // ssh
23, // telnet
25, // smtp
37, // time
42, // name
43, // nicname
53, // domain
77, // priv-rjs
79, // finger
87, // ttylink
95, // supdup
101, // hostriame
102, // iso-tsap
103, // gppitnp
104, // acr-nema
109, // pop2
110, // pop3
111, // sunrpc
113, // auth
115, // sftp
117, // uucp-path
119, // nntp
123, // NTP
135, // loc-srv /epmap
139, // netbios
143, // imap2
179, // BGP
389, // ldap
427, // SLP (Also used by Apple Filing Protocol)
465, // smtp+ssl
512, // print / exec
513, // login
514, // shell
515, // printer
526, // tempo
530, // courier
531, // chat
532, // netnews
540, // uucp
548, // AFP (Apple Filing Protocol)
556, // remotefs
563, // nntp+ssl
587, // smtp (rfc6409)
601, // syslog-conn (rfc3195)
636, // ldap+ssl
993, // ldap+ssl
995, // pop3+ssl
2049, // nfs
3659, // apple-sasl / PasswordServer
4045, // lockd
6000, // X11
6665, // Alternate IRC [Apple addition]
6666, // Alternate IRC [Apple addition]
6667, // Standard IRC [Apple addition]
6668, // Alternate IRC [Apple addition]
6669, // Alternate IRC [Apple addition]
6697, // IRC + TLS
};
For the completeness of the answer, a more complete list can be found on those links :
- http://www-archive.mozilla.org/projects/netlib/PortBanning.html
- http://code.google.com/p/browsersec/wiki/Part2#Port_access_restrictions
精彩评论