Starting from the most interesting info - another Comcast customer contacted
me, lets call him CCB, and the first Comcast customer I mentioned previously
will be CCA. CCB claims he had to disable some settings - probably "Advanced
Security" - in his Comcast router, because before doing so, nobody was able to
connect to his lightning node via IPv4 (clearnet, not tor). He claims to have
done this back in July or August. We tested just today, and both sides were
able to successfully initiate TCP connection, no blocking here. Importantly, at
the same time I was not able to connect to CCA - timeout.
Chronology of tests, all times are in CEST.
around 18:00 yesterday - I started tor relay (non-exit, ExitPolicy reject *:*)
22:09 - it appeared as online on https://metrics.torproject.org/ . Started
testing connection to CCA, using "socat -dd -
TCP4:<CCA_ADDR>:<CCA_lightning_port>" every 5 minutes. Connected successfully.
07:07 - last successful connection to CCA
07:12 - first unsuccessful connection to CCA - timeout; all subsequent tests
with CCA end with timeout
08:10 - stopped tor relay
13:09 - 13:14 - tests with CCB - both sides can connect
17:54 - still cannot connect to CCA
18:19 - connected to CCA from my mobile phone connection (so from another IP,
which is not blacklisted, so we see CCA is not offline)
18:55 - still cannot connect to CCA
So port forwarding must be correct on CCA, or I would not be able to connect.
Now I think the blocking is real, probably on by default, but Comcast customers
can opt-out.
Doubts / weaknesses of tests and theory:
- only tested with 2 Comcast users
- not sure about CCA's firewall settings - I just assume he has "Advanced
Security" active
- my tests only cover connections from me to Comcast users. Not sure if this
"Advanced Security" also blocks connections from Comcast users. On one hand, my
lightning channel with CCA was inactive for a month or more, and CCA contacted
me because of it. Lightning nodes want and try to connect to all peers they
have channel with, automatically - so his node presumably tried to connect to
mine. And lightning nodes publish their IP addresses, there are sites which
show current IP addresses of lightning nodes, like
https://1ml.com/node/030c3f19d742ca294a55c00376b3b355c3c90d61c6b6b39554dbc7ac19b141c14f
(the link already points to a concrete node). My node should announce its IP
addresses. So even if connection from me is blocked, he should initiate
connection. Inactive channel means he was not successful, difficult to explain
without blocking. OTOH, he claims he can connect to tor, so must be able to
connect to at least some tor relay, not necessarily mine.
Any volunteer Comcast customers for further testing? Preferably without
lightning nodes, because I'd like to test with this "Adv. security" active, and
it may interfere with lightning node (or any other use-case which needs high
uptime).
If my theory is correct, Comcast is slightly less evil than my very first post
would suggest. Still evil, because this blocking has little to do with security
- maybe blocking exit relays makes some sense, they can be misused to attacks,
DDoS etc. But according to Comcast, merely running tor relay makes you a
threat. And this so-called security is probably on by default (according to
CCB) and "There are definitely popups all over the place telling me to turn it
on". So it is probably not apparent that this setting blocks (some? most?) tor
relays completely.
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays