Add censorship/firewall circumvention about spn HOT 7 CLOSED

Thanks a lot for checking this out!

From this data it seems that supporting port 80 and 443 is a good first step.

The SPN does not depend on DNS.

from spn.

Hey @boistordu, this is indeed an interesting use case.

Is this your initial connection to the SPN? Without having connected to the SPN ever, it is really hard to do circumvention. If you have previously connected to the SPN, then Portmaster will have a local state of most servers and will be able to use better options.

Currently, we do not have circumvention features on the client side.
We are still evaluating what the best way forward is and what common use cases are - so your report is most welcome here?

Can you tell us more about the firewall you are behind and what it blocks and what it does not?
Things that would be interesting:

• Can you ping hosts on the Internet?
• Are DNS queries responded to correctly? (Does not matter if hijacked.)
• Are there other common open ports?
  • Often, these are ports for protocols that cannot be redirected, eg. for mail: 993, 995
• If you know how to and have a server for testing, can you check if you can user other protocols than UDP, TCP.
• Do they force you to use or is there a proxy available?

We are using port 17 now, as it makes it easier to distinguish in testing. We will offer a wide range of unsuspicious options in the future.

from spn.

So from what I can ping on my subnet, it seems a sophos installation.

Ping are always reachable.
What I can know from end also is that they have implemented dns cloudflare as their resolving server.

From what I can tell your servers or some of them are located on port 17? That's clearly blocked.
873 is clearly blocked too since I can't use nextdns for example.
HTTP and https are not blocked.
Protonvpn is able to connect. That's one of the only vpn I have that are able to.
So I guess because they have hardcoded the IP address of the servers.

Not every dns queries are responding so there is a filtering. Some of the vpn URI for example are not answering.

I will do some further testing with a pentesting distribution to be sure what's open and what's not .

from spn.

Biggest filtering is happening at night.
Here is the result of a simple nmap

Host is up (0.24s latency).
Not shown: 30532 filtered ports
PORT STATE SERVICE
51001/tcp open unknown
51002/tcp open unknown
61001/tcp open unknown
61002/tcp open unknown

Not shown: 34998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https

Sorry I had to separate the entire scan in 2 sets.

from spn.

And that s a list when they are opening the network for business

Not shown: 65504 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
52065/tcp open unknown
52118/tcp open unknown
52172/tcp open unknown
52304/tcp open unknown
52616/tcp open unknown
52784/tcp open unknown
54231/tcp open unknown
55935/tcp open unknown
56227/tcp open unknown
56249/tcp open unknown
57682/tcp open unknown
58484/tcp open unknown
58500/tcp open unknown
59679/tcp open unknown
62508/tcp open unknown
62675/tcp open unknown
62857/tcp open unknown
63237/tcp open unknown
63425/tcp open unknown
64838/tcp open unknown
65342/tcp open unknown

from spn.

Also there is some url filtering. For example DuckDuckGo is not reachable

from spn.

The current versions of Portmaster and SPN now support connections on Port 80 that also use HTTP (with a connection upgrade).
Our servers now also all listen on port 80 and 8080.

from spn.