Are ports 21, 554, and 7070 open or closed? The answer is yes.

Perhaps you’re confused by the title, and if you are, you’re experiencing the same feeling I’ve had for the past day.  Alas, I’ve spent way too much time figuring out why my server was seemingly a bizzaro-world example of up is down, down is up reality.

Well, the reality that is pales in comparison to the journey that was,  so let’s briefly review the journey.

I was running security tests on my Rackspace Cloud Server after configuring the firewall, and the tests revealed that ports 21, 554, and 7070 were open.  This was not the intention of my firewall, and although I had done a fair amount of reading on iptables over the past few months, I was starting to question my understanding of even basic configuration options.

Eventually, I chatted with tech support to make sure that I wasn’t missing a default configuration of their cloud servers, but to my surprise the tech’s tests of my server did not reveal that the ports were open.  I was tired and wondering if I was imagining things, so I decided it was time to hit the hay.

The next morning, I immediately went back to the computer thinking the abnormal tendencies of my network would turn out to be stupid errors on my part, easily corrected by my sharper, rested mind (OK, I know, even well rested I’m no Einstein, but…)  However, the light of a new day merely revealed the strange truth of my tests.

I had no services running/listening on any of the listed ports, I was using a firewall that appeared to work for many other people just the way I thought it should work for me, and I could see evidence of the firewall working on other ports.  When I tested the ports (telnet, nmap, etc.), they were open.  However, when the tech and later my friend Davin tested the ports on their computers, they were closed.

It appears it was only one bad Apple that was spoiling a bunch of my tests.  I’m using a Time Capsule as my router, and after growing suspicious, a search brought up a rather similar issue.

After isolating the issue, it appears that Time Capsule was trying to “help” the situation by proxying certain protocols.  The issue is that it doesn’t even check with the server on some of the protocols to see if a connection can actually be obtained, it just makes it appear as though one has been granted and passes along follow-up requests.  Needless to say, this approach by Apple didn’t actually “help” me at all.

So, if you’re seeing some unexpected results of ports 21, 554, and 7070 being open on a remote server, I hope you find this blog post so you can quickly check if it’s a piece of Apple networking hardware that’s causing the issue.